Bug 2100115

Summary:	ipa client on RHEL 8 can't retrieve vault data from a RHEL 9 server
Product:	Red Hat Enterprise Linux 8	Reporter:	Sam Morris <sam>
Component:	ipa	Assignee:	Trivino <ftrivino>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.6	CC:	myusuf, pasik, rcritten, rjeffman, ssidhaye, sumenon, tscherf
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.9.10-1.module+el8.7.0+15691+2b2c1dd5	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-11-08 09:36:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sam Morris 2022-06-22 13:33:42 UTC

Description of problem:
I've added a RHEL 9 server to my IPA domain and I am finding that 'ipa vault-retrieve' fails intermittently.

It turns out that whenever the ipa client talks to the RHEL 9 server, this error happens:

[sam@xoanon ~]$ ipa vault-retrieve --service host/myhost.example.com password
ipa: ERROR: non-public: ValueError: Invalid IV size (16) for CBC.
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipalib/backend.py", line 141, in execute
    return self.Command[_name](*args, **options)
  File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 1229, in run
    return self.forward(*args, **options)
  File "/usr/lib/python3.6/site-packages/ipaclient/plugins/vault.py", line 1072, in forward
    response['result']['vault_data']
  File "/usr/lib/python3.6/site-packages/ipaclient/plugins/vault.py", line 1021, in _unwrap_response
    cipher = Cipher(algo, modes.CBC(nonce), backend=default_backend())
  File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/primitives/ciphers/base.py", line 113, in __init__
    mode.validate_for_algorithm(algorithm)
  File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/primitives/ciphers/modes.py", line 84, in _check_iv_and_key_length
    _check_iv_length(self, algorithm)
  File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/primitives/ciphers/modes.py", line 77, in _check_iv_length
    len(self.initialization_vector), self.name
ValueError: Invalid IV size (16) for CBC.
ipa: ERROR: an internal error has occurred

To reproduce on a RHEL 8 client, set 'server' to the fqdn of a RHEL 9 ipa-server with KRA installed, and try to retrieve from a vault.

Version-Release number of selected component (if applicable):
ipa-client-4.9.8-6.module+el8.6.0+14300+0c339766.x86_64

How reproducible:
Very

Steps to Reproduce:
1. On RHEL 9, run ipa-server-install --setup-kra
2. Log in as IPA admin
3. Create a vault & archive a secret into it
4. On RHEL 8, run ipa-client-install.
5. If the domain has multiple servers, set server to point to the RHEL 9 server in /etc/ipa/default.conf
6. Run ipa-vault-retrieve to retrieve data from the vault

Actual results:
Exception as above

Expected results:
ipa vault-retrieve should not fail

Comment 1 Rob Crittenden 2022-06-22 13:45:27 UTC

Relevant upstream ticket https://pagure.io/freeipa/issue/6524

Comment 6 Sumedh Sidhaye 2022-07-21 15:34:57 UTC

Packages used for verification (from latest RHEL9.1 nightly compose)

RHEL9.1 Server:

ipa-client-4.10.0-3.el9.x86_64
ipa-client-common-4.10.0-3.el9.noarch
ipa-common-4.10.0-3.el9.noarch
ipa-healthcheck-core-0.9-9.el9.noarch
ipa-selinux-4.10.0-3.el9.noarch
ipa-server-4.10.0-3.el9.x86_64
ipa-server-common-4.10.0-3.el9.noarch
ipa-server-dns-4.10.0-3.el9.noarch
ipa-server-trust-ad-4.10.0-3.el9.x86_64


RHEL8.7 Client:

ipa-client-4.9.10-3.module+el8.7.0+15888+685a878f.x86_64
ipa-client-common-4.9.10-3.module+el8.7.0+15888+685a878f.noarch
ipa-common-4.9.10-3.module+el8.7.0+15888+685a878f.noarch
ipa-selinux-4.9.10-3.module+el8.7.0+15888+685a878f.noarch

---------------------------- Captured stderr setup -----------------------------
2022-07-21 13:10:55,843 - qe_class.py:mark_test_start:383 - CRITICAL - MARK_TEST_START: test_0020_vault_retrieve_from_client

----------------------------- Captured stdout call -----------------------------
Ticket cache: KCM:0
Default principal: admin

Valid starting     Expires            Service principal
07/21/22 09:10:56  07/22/22 08:47:04  krbtgt/TESTREALM.TEST


QERUN COMMAND: ipa vault-add vault --type=standard
QERUN ALL OUTPUT:
-------------------
Added vault "vault"
-------------------
  Vault name: vault
  Type: standard
  Owner users: admin
  Vault user: admin

GOT: Added vault "vault"
QERUN COMMAND SUCCEEDED!
Ticket cache: KCM:0
Default principal: admin

Valid starting       Expires              Service principal
07/21/2022 09:10:57  07/22/2022 08:16:51  krbtgt/TESTREALM.TEST


------------------------------ Captured log call -------------------------------
INFO     ipa_pytests.qe_class.QeHost.master.OpenSSHTransport:transport.py:397 RUN kdestroy -A
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd778:transport.py:519 RUN kdestroy -A
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd778:transport.py:217 Exit code: 0
INFO     ipa_pytests.qe_class.QeHost.master.OpenSSHTransport:transport.py:397 RUN ['kinit', 'admin']
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd779:transport.py:519 RUN ['kinit', 'admin']
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd779:transport.py:563 Password for admin: 
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd779:transport.py:217 Exit code: 0
INFO     ipa_pytests.qe_class.QeHost.master.OpenSSHTransport:transport.py:397 RUN ['klist']
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd780:transport.py:519 RUN ['klist']
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd780:transport.py:563 Ticket cache: KCM:0
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd780:transport.py:563 Default principal: admin
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd780:transport.py:563 
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd780:transport.py:563 Valid starting     Expires            Service principal
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd780:transport.py:563 07/21/22 09:10:56  07/22/22 08:47:04  krbtgt/TESTREALM.TEST
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd780:transport.py:217 Exit code: 0
INFO     ipa_pytests.qe_class.QeHost.master.OpenSSHTransport:transport.py:397 RUN ['ipa', 'vault-add', 'vault', '--type=standard']
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:519 RUN ['ipa', 'vault-add', 'vault', '--type=standard']
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:563 -------------------
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:563 Added vault "vault"
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:563 -------------------
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:563   Vault name: vault
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:563   Type: standard
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:563   Owner users: admin
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:563   Vault user: admin
DEBUG    ipa_pytests.qe_class.QeHost.master.cmd781:transport.py:217 Exit code: 0
INFO     ipa_pytests.qe_class.QeHost.client.OpenSSHTransport:transport.py:397 RUN kdestroy -A
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd40:transport.py:519 RUN kdestroy -A
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd40:transport.py:217 Exit code: 0
INFO     ipa_pytests.qe_class.QeHost.client.OpenSSHTransport:transport.py:397 RUN ['kinit', 'admin']
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd41:transport.py:519 RUN ['kinit', 'admin']
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd41:transport.py:563 Password for admin: 
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd41:transport.py:217 Exit code: 0
INFO     ipa_pytests.qe_class.QeHost.client.OpenSSHTransport:transport.py:397 RUN ['klist']
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd42:transport.py:519 RUN ['klist']
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd42:transport.py:563 Ticket cache: KCM:0
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd42:transport.py:563 Default principal: admin
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd42:transport.py:563 
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd42:transport.py:563 Valid starting       Expires              Service principal
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd42:transport.py:563 07/21/2022 09:10:57  07/22/2022 08:16:51  krbtgt/TESTREALM.TEST
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd42:transport.py:217 Exit code: 0
INFO     ipa_pytests.qe_class.QeHost.client.OpenSSHTransport:transport.py:397 RUN ['ipa', 'vault-retrieve', 'vault']
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd43:transport.py:519 RUN ['ipa', 'vault-retrieve', 'vault']
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd43:transport.py:563 ---------------------------------
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd43:transport.py:563 Retrieved data from vault "vault"
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd43:transport.py:563 ---------------------------------
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd43:transport.py:563   Data: 
DEBUG    ipa_pytests.qe_class.QeHost.client.cmd43:transport.py:217 Exit code: 0


Based on above observations marking Bugzilla verified.

Comment 9 errata-xmlrpc 2022-11-08 09:36:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7540