Bug 1924707
| Summary: | Establishing trust with AD domain using shared secret fails in FIPS mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sergey Orlov <sorlov> |
| Component: | ipa | Assignee: | Trivino <ftrivino> |
| Status: | CLOSED MIGRATED | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | lmcgarry |
| Priority: | high | ||
| Version: | 8.4 | CC: | abokovoy, awestbro, ftrivino, gkaihoro, pasik, rcritten, ssidhaye, tscherf |
| Target Milestone: | rc | Keywords: | Documentation, MigratedToJIRA, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
.FIPS mode does not support using a shared secret to establish a cross-forest trust
Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP authentication is not FIPS-compliant. To work around this problem, authenticate with an Active Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS mode enabled and an AD domain.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-18 18:39:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
Please collect Samba debug logs and network traces between IPA and AD DCs during this test run. All traffic, both TCP and UDP. With "log level = 10" in /usr/share/ipa/smb.conf.empty no lines are added to /var/log/httpd/error_log during execution of CreateLocalSideOfTrustRelationship In attached log the last message is dated "16:10:30" while command was executed around 16:24 I also attach two trafic logs for two sequental attempts to execute CreateLocalSideOfTrustRelationship master1.testrelm.test is 192.168.121.73 ad1.ad.test is 192.168.121.165 Created attachment 1756396 [details]
/var/log/httpd/error_log
Created attachment 1756397 [details]
/var/log/samba/log.smbd
Created attachment 1756398 [details]
network traffic for first attempt to run CreateLocalSideOfTrustRelationship
Created attachment 1756399 [details]
network traffic for second attempt to run CreateLocalSideOfTrustRelationship
Created attachment 1756400 [details]
/var/log/samba
Samba logs collected with "net conf setparm global loglevel 10"
I have tried to establish trust using Windows GUI as explained in https://freeipa.readthedocs.io/en/latest/designs/adtrust/oneway-trust-with-shared-secret.html In step "Choose ‘Forest trust’ on the Trust Type page" it presents another dialog: "To create this trust relationship you must supply user credentials for the specified domain" Created attachment 1756403 [details]
network traffic for CreateLocalSideOfTrustRelationship without FIPS
Without FIPS both variants works. I have provided network traffic capture for establishing trust using PowerShell. So, according to the network traffic for non-FIPS mode, AD DC attempts to auth to IPA DC with NTLMSSP. That's blocked in FIPS mode because RC4 (NTLM hash) is not allowed in FIPS mode, so that should be expected. The difference: in case of non-FIPS we respond with with STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE which leads to eventual STATUS_LOGON_FAILURE and then use of a different method. In FIPS mode we don't do that and AD DC never goes further with a different method. Created attachment 1756632 [details]
logs with rc4 disabled on Windows side
This warrant more investigation which may prove it would be not possible to use a shared secret trust in FIPS mode. I added a documentation note for RHEL 8.4. Upstream ticket: https://pagure.io/freeipa/issue/8715 Tests for trust with shared secret should be skipped in FIPS mode: https://bugzilla.redhat.com/show_bug.cgi?id=1930796 Hi Triviño, Do you know if it looks like this bug might get fixed in time for RHEL 8.8? Take care, Josip Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: When trying to establish trust with AD domain with IPA in FIPS mode creation of Windows side of trust fails with "Access denied" Version-Release number of selected component (if applicable): ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 How reproducible: Always Steps to Reproduce: 1. Execute test suite: freeipa/ipatests/test_integration/test_trust.py 2. Look at results of test case "test_establish_forest_trust_with_shared_secret" Actual results: transport.py 513 DEBUG RUN ['powershell', '-c', '[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().CreateLocalSideOfTrustRelationship("testrelm.test", 1, "qwertyuiopQq!1")'] transport.py 558 DEBUG bash: line 2: /home/Administrator/env.sh: No such file or directory transport.py 558 DEBUG Exception calling "CreateLocalSideOfTrustRelationship" with "3" argument(s): "Access is denied. transport.py 558 DEBUG " transport.py 558 DEBUG At line:1 char:1 transport.py 558 DEBUG + [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest() ... transport.py 558 DEBUG + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ transport.py 558 DEBUG + CategoryInfo : NotSpecified: (:) [], MethodInvocationException transport.py 558 DEBUG + FullyQualifiedErrorId : UnauthorizedAccessException transport.py 558 DEBUG transport.py 214 ERROR Exit code: 1 Additional info: The test succeeds in non-FIPS mode in otherwise equivalent environment.