Bug 2050138

Summary: ipa-server-install command is failing in FIPS mode
Product: Red Hat Enterprise Linux 9 Reporter: Mohammad Rizwan <myusuf>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: dpal, fdvorak, frenaud, jrische, rcritten, tapazogl, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-03 14:17:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2039684    
Bug Blocks:    

Description Mohammad Rizwan 2022-02-03 10:46:55 UTC 
Description of problem:
ipa-server-install command is failing in FIPS mode

Version-Release number of selected component (if applicable):
ipa-server-4.9.8-1.el9.x86_64
ipa-server-dns-4.9.8-1.el9.noarch
python3-3.9.10-1.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. Enable fips mode
2. ipa-server-install ...
3.

Actual results:
ipa-server-install command is failing

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL9.0/job/Nightly-FIPS/job/tier-1-RHEL9.0-Nightly-FIPS-bash-ipa-ctl/15/

http://idm-artifacts.usersys.redhat.com/freeipa/Nightly-FIPS/RHEL9.0/2022-02-02/tier-1/bash-ipa-ctl/15/logs/ipaserver-install.log.gz

Expected results:
ipa-server-install command success

Additional info:
[..]
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [error] RuntimeError: Failed to initialize kerberos container
Failed to initialize kerberos container
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Comment 1 Florence Blanc-Renaud 2022-02-03 11:28:17 UTC 
From the install log, the issue looks very similar to Bug 2039684 - FIPS: kdb5_utils failed to create KDC db with default master_key_type (aes256-cts-hmac-sha1-96):

2022-02-03T10:13:44Z DEBUG args=['kdb5_util', 'create', '-s', '-r', 'TESTREALM.TEST', '-x', 'ipa-setup-override-restrictions']
2022-02-03T10:13:44Z DEBUG Process finished, return code=1
2022-02-03T10:13:44Z DEBUG stdout=Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TESTREALM.TEST',
master key name 'K/M'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

2022-02-03T10:13:44Z DEBUG stderr=kdb5_util: Cryptosystem internal error while transforming master key from password

2022-02-03T10:13:44Z DEBUG kdb5_util failed with CalledProcessError(Command ['kdb5_util', 'create', '-s', '-r', 'TESTREALM.TEST', '-x', 'ipa-setup-override-restrictions'] returned non-zero exit status 1: 'kdb5_util: Cryptosystem internal error while transforming master key from password\n')


Moving to krb5 for further investigation.

@myusuf can you add the krb5-related info (which version is installed)? Thx
Comment 2 Mohammad Rizwan 2022-02-03 11:35:59 UTC 
[root@master ~]# rpm -qa | grep krb5
krb5-libs-1.19.1-13.el9.x86_64
krb5-pkinit-1.19.1-13.el9.x86_64
krb5-workstation-1.19.1-13.el9.x86_64
sssd-krb5-common-2.6.2-2.el9.x86_64
krb5-server-1.19.1-13.el9.x86_64
Comment 4 Julien Rische 2022-02-03 14:17:24 UTC 
Due to bug 2039684, KDC DB initialization will fail for these encryption types:

  * des-hmac-sha1
  * aes128-cts (alias of aes128-cts-hmac-sha1-96)
  * aes256-cts (alias of aes256-cts-hmac-sha1-96)

aes256-cts being the enctype used for KDC master key[1]. So this will definitely not work until bug 2039684 is fixed.


[1] https://pagure.io/freeipa/blob/ipa-4-9/f/install/share/kdc.conf.template#_9

*** This bug has been marked as a duplicate of bug 2039684 ***