Bug 2165529

Summary: After ipa-server install kinit is failing in FIPS mode.
Product: Red Hat Enterprise Linux 9 Reporter: anuja <amore>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED DUPLICATE QA Contact: Filip Dvorak <fdvorak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: fdvorak, ftrivino, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.20.1-5.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-30 16:10:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description anuja 2023-01-30 11:20:06 UTC 
Description of problem:
In FIPS mode for RHEL9.2 kinit is failing after ipa-server install.

Version-Release number of selected component (if applicable):
ipa-server-4.10.1-3.el9.x86_64
krb5-server-1.20.1-3.el9.x86_64

How reproducible:
Always

Steps to Reproduce:
1. install ipa-server
2. kinit admin

Actual results:
ipa: ERROR: stderr: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Expected results:
kinit admin should be successful.

Additional info:
with ipa-server-4.10.1-2.el9.x86_64 kinit is working.
Comment 2 Florence Blanc-Renaud 2023-01-30 12:39:32 UTC 
According to the logs, ipa-server-install reports an error when setting the admin password:
2023-01-30T10:55:35Z DEBUG Changing admin password
2023-01-30T10:55:35Z DEBUG Starting external process
2023-01-30T10:55:35Z DEBUG args=['/usr/bin/ldappasswd', '-H', 'ldap://master.testrelm.test', '-ZZ', '-x', '-D', 'cn=Directory Manager', '-y', '/var/lib/ipa/tmp413vx9po', '-T', '/var/lib/ipa/tmpz45rm7l1', 'uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test']
2023-01-30T10:55:35Z DEBUG Process finished, return code=1
2023-01-30T10:55:35Z DEBUG stdout=Result: Operations error (1)
Additional info: Failed to update password

2023-01-30T10:55:35Z DEBUG stderr=
2023-01-30T10:55:35Z DEBUG Unable to set admin password CalledProcessError(Command ['/usr/bin/ldappasswd', '-H', 'ldap://master.testrelm.test', '-ZZ', '-x', '-D', 'cn=Directory Manager', '-y', '/var/lib/ipa/tmp413vx9po', '-T', '/var/lib/ipa/tmpz45rm7l1', 'uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test'] returned non-zero exit status 1: '')

but ipa-server-install exits successfully anyway.


389 ds error log displays an error generating the kerberos key:
[30/Jan/2023:05:55:35.529246066 -0500] - ERR - ipapwd_encrypt_encode_key - [file encoding.c, line 179]: generating kerberos keys failed [Cryptosystem internal error]
[30/Jan/2023:05:55:35.537081450 -0500] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key encryption/encoding failed

This code is part of ipa kdb driver, need to investigate which encryption is tried and check if it is supported in FIPS mode.
Comment 5 Julien Rische 2023-01-30 16:10:06 UTC 

*** This bug has been marked as a duplicate of bug 2162461 ***