Hide Forgot
Description of problem: ipa-server-install fails when FIPS mode is enabled Version-Release number of selected component (if applicable): ipa-server-4.6.4-2.el7.x86_64 ipa-server-dns-4.6.4-2.el7.noarch How reproducible: always Steps to Reproduce: 1. Enable FIPS mode 2. ipa-server-install /usr/sbin/ipa-server-install --setup-dns --forwarder <xx.xx.xx.xx> --domain testrelm.test --realm TESTRELM.TEST --admin-password Secret123 --ds-password Secret123 -U --reverse-zone x.xx.xx.in-addr.arpa. --allow-zone-overlap --domain-level=1 Actual results: ipa-server-install fails [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records ipapython.dnsutil: ERROR DNS query for master.testrelm.test. 1 failed: All nameservers failed to answer the query master.testrelm.test. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL ipapython.dnsutil: ERROR DNS query for master.testrelm.test. 1 failed: All nameservers failed to answer the query master.testrelm.test. IN A: Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 answered SERVFAIL ipaserver.dns_data_management: ERROR unable to resolve host name master.testrelm.test. to IP address, ipa-ca DNS record will be incomplete Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: master.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638972): Generic error (see e-text) Installation failed. As this is IPA server, changes will not be rolled back. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ipapython.admintool: ERROR Configuration of client side components failed! ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected results: ipa-server-install success Additional info:
ipa-client-install is performing an operation equivalent to kinit -kt /etc/krb5.keytab -c /etc/ipa/.dns_ccache and this call fails. The corresponding log in /var/log/krb5kdc.log is the following: Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.65.206.153: NEEDED_PREAUTH: host/master.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Additional pre-authentication required Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): closing down fd 13 Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 10.65.206.153: GENERATE_TICKET_ID: host/master.testrelm.test@TESTRELM.TEST for krbtgt/TESTRELM.TEST@TESTRELM.TEST, Cannot allocate memory Jul 10 17:52:33 master.testrelm.test krb5kdc[26466](info): closing down fd 13 Robbie, could you have a look at the issue? It is possible that some configuration is missing for FIPS. The conf is the following: # cat /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTRELM.TEST dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] TESTRELM.TEST = { kdc = master.testrelm.test:88 master_kdc = master.testrelm.test:88 admin_server = master.testrelm.test:749 default_domain = testrelm.test pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .testrelm.test = TESTRELM.TEST testrelm.test = TESTRELM.TEST master.testrelm.test = TESTRELM.TEST [dbmodules] TESTRELM.TEST = { db_library = ipadb.so } [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb }
This means that kau_make_tkt_id() failed. I believe this is because it attempted to use CKSUMTYPE_RSA_MD5 as a checksum and got back ENOMEM (?) somehow. I will investigate further.
Reproduced locally. This happens because of an MD5 usage exposed by https://bugzilla.redhat.com/show_bug.cgi?id=1570600 . Taking bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3071