Bug 1599721

Summary: ipa-server-install fails when FIPS mode is enabled
Product: Red Hat Enterprise Linux 7 Reporter: Mohammad Rizwan <myusuf>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: dpal, frenaud, pkis, pvoborni, rcritten, rharwood, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.15.1-33.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 08:08:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1570600    

Description Mohammad Rizwan 2018-07-10 12:32:20 UTC 
Description of problem:
ipa-server-install fails when FIPS mode is enabled

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-2.el7.x86_64
ipa-server-dns-4.6.4-2.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Enable FIPS mode
2. ipa-server-install
/usr/sbin/ipa-server-install --setup-dns --forwarder <xx.xx.xx.xx> --domain testrelm.test --realm TESTRELM.TEST --admin-password Secret123 --ds-password Secret123 -U --reverse-zone x.xx.xx.in-addr.arpa. --allow-zone-overlap --domain-level=1


Actual results:
ipa-server-install fails

  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
ipapython.dnsutil: ERROR    DNS query for master.testrelm.test. 1 failed: All nameservers failed to answer the query master.testrelm.test. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipapython.dnsutil: ERROR    DNS query for master.testrelm.test. 1 failed: All nameservers failed to answer the query master.testrelm.test. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL
ipaserver.dns_data_management: ERROR    unable to resolve host name master.testrelm.test. to IP address, ipa-ca DNS record will be incomplete
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Failed to obtain host TGT: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638972): Generic error (see e-text)
Installation failed. As this is IPA server, changes will not be rolled back.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
ipapython.admintool: ERROR    Configuration of client side components failed!
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


Expected results:
ipa-server-install success

Additional info:
Comment 6 Florence Blanc-Renaud 2018-07-10 14:38:58 UTC 
ipa-client-install is performing an operation equivalent to
kinit -kt /etc/krb5.keytab -c /etc/ipa/.dns_ccache
and this call fails.

The corresponding log in /var/log/krb5kdc.log is the following:
Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.65.206.153: NEEDED_PREAUTH: host/master.testrelm.test for krbtgt/TESTRELM.TEST, Additional pre-authentication required
Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): closing down fd 13
Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.65.206.153: GENERATE_TICKET_ID: host/master.testrelm.test for krbtgt/TESTRELM.TEST, Cannot allocate memory
Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): closing down fd 13

Robbie, could you have a look at the issue? It is possible that some configuration is missing for FIPS. The conf is the following:
# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TESTRELM.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 TESTRELM.TEST = {
  kdc = master.testrelm.test:88
  master_kdc = master.testrelm.test:88
  admin_server = master.testrelm.test:749
  default_domain = testrelm.test
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
 .testrelm.test = TESTRELM.TEST
 testrelm.test = TESTRELM.TEST
 master.testrelm.test = TESTRELM.TEST

[dbmodules]
  TESTRELM.TEST = {
    db_library = ipadb.so
  }

[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }
Comment 7 Robbie Harwood 2018-07-10 18:30:36 UTC 
This means that kau_make_tkt_id() failed.  I believe this is because it attempted to use CKSUMTYPE_RSA_MD5 as a checksum and got back ENOMEM (?) somehow.  I will investigate further.
Comment 9 Robbie Harwood 2018-07-10 20:21:40 UTC 
Reproduced locally.  This happens because of an MD5 usage exposed by https://bugzilla.redhat.com/show_bug.cgi?id=1570600 .  Taking bug.
Comment 20 errata-xmlrpc 2018-10-30 08:08:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3071