Bug 1608783

Summary: ipa trust-add fails in FIPS mode.
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: abokovoy, cobrown, frenaud, gkaihoro, ndehadra, pasik, pvoborni, rcritten, rharwood, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1615765 (view as bug list) Environment:
Last Closed: 2018-10-30 11:00:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
console-output
none
http error log
none
dirsrv error logs
none
samba logs none

Description Sudhir Menon 2018-07-26 09:50:41 UTC 
Description of problem: ipa trust-add fails in FIPS mode.


Version-Release number of selected component (if applicable):
[root@intel-canoepass-12 abrt]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

ipa-server-4.6.4-3.el7.x86_64
sssd-1.16.2-7.el7.x86_64
krb5-server-1.15.1-33.el7.x86_64
pki-server-10.5.9-3.el7.noarch
389-ds-base-1.3.8.4-8.el7.x86_64
samba-4.8.3-3.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Seup IPA on FIPS enabled machine
2. establish trust with Windows2K16 AD
3. Check the message displayed on the console.

Actual results:
3. echo password | ipa trust-add ipaad2016.test --admin Administrator  --two-way=True --password

ipa: ERROR: CIFS server communication error: code "3221225473", message "{Operation Failed} The requested operation was unsuccessful." (both may be "None")

Expected results:
Trust should be established without any error.

Additional info: 
Attaching the samba, http and dirsrv debug logs for reference.
Comment 2 Sudhir Menon 2018-07-26 09:52:54 UTC 
Created attachment 1470670 [details]
console-output
Comment 3 Sudhir Menon 2018-07-26 09:57:12 UTC 
Created attachment 1470671 [details]
http error log
Comment 4 Sudhir Menon 2018-07-26 09:58:05 UTC 
Created attachment 1470672 [details]
dirsrv error logs
Comment 5 Sudhir Menon 2018-07-26 10:04:17 UTC 
Created attachment 1470675 [details]
samba logs
Comment 8 Rob Crittenden 2018-07-30 15:46:18 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7659
Comment 9 Alexander Bokovoy 2018-08-09 08:24:03 UTC 
Upstream pull request: https://github.com/freeipa/freeipa/pull/2228
Comment 10 Florence Blanc-Renaud 2018-08-16 13:14:39 UTC 
Fixed upstream
master:
    https://pagure.io/freeipa/c/de8f969f2d40722b590f43ab9bb31eada58ec4b3 Move fips_enabled to a common library to share across different plugins
    https://pagure.io/freeipa/c/6907a0cef7f22293c16df17aa486f7ec2d8a0899 ipasam: do not use RC4 in FIPS mode

ipa-4-7:
    https://pagure.io/freeipa/c/5e8bc96b2aca26878f98e8180ee21e94f06ae9f1 Move fips_enabled to a common library to share across different plugins
    https://pagure.io/freeipa/c/04c5798d61d4c2275592b77467adc927f3a08b0d ipasam: do not use RC4 in FIPS mode

ipa-4-6:
    https://pagure.io/freeipa/c/2ede8e6b90d8cec4ba651ecd14e1213536a585d6 Move fips_enabled to a common library to share across different plugins
    https://pagure.io/freeipa/c/0a89f648d600610b6a17438847eb0d18c47be6db ipasam: do not use RC4 in FIPS mode
Comment 12 Nikhil Dehadrai 2018-08-17 18:41:08 UTC 
ipa-server-version and components:
sssd-1.16.2-12.el7.x86_64
ipa-server-4.6.4-6.el7.x86_64
389-ds-base-1.3.8.4-10.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64

Verified the bug on the basis of following observations:
1. Verified that trust-addition is successful in FIPS mode
2. Verified that trust addition is successful in non-FIPS mode.

Coonsole output: (FIPS)
:: [ 23:15:45 ] :: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add ipaad2016.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True'
-------------------------------------------------------
Added Active Directory trust for realm "ipaad2016.test"
-------------------------------------------------------
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [ 23:16:05 ] :: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add ipaad2016.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 0)


Console output: (Non-FIPS)

:: [ 12:53:44 ] :: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add ipaad2016.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True'
-------------------------------------------------------
Added Active Directory trust for realm "ipaad2016.test"
-------------------------------------------------------
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [ 12:53:49 ] :: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add ipaad2016.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 0)


Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.
Comment 15 errata-xmlrpc 2018-10-30 11:00:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187