1717355 – `adcli join` fails in FIPS enabled environment

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1717355 - `adcli join` fails in FIPS enabled environment

Summary: `adcli join` fails in FIPS enabled environment

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	adcli
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.1
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-05 10:22 UTC by Alexey Tikhonov
Modified:	2023-03-24 14:53 UTC (History)
CC List:	4 users (show)
Fixed In Version:	adcli-0.8.2-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 22:33:47 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3649	0	None	None	None	2019-11-05 22:33:49 UTC

Description Alexey Tikhonov 2019-06-05 10:22:24 UTC

Description of problem:

Seems like `adcli` uses some non FIPS approved algos internally during `join` operation:

Command:
LANG=C /usr/sbin/adcli join --verbose --domain example.com --domain-realm EXAMPLE.COM --domain-controller 192.168.122.65 --login-type user --login-user Administrator

Output:
 * Using domain name: example.com
 * Calculated computer account name from fqdn: RHEL8CLIENT
 * Using domain realm: example.com
 * Sending netlogon pings to domain controller: cldap://192.168.122.65
 * Received NetLogon info from: WIN-CEC47TMBJQM.example.com
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-OXCjkj/krb5.d/adcli-krb5-conf-PGIZki
 * Authenticated as user: Administrator
 * Looked up short domain name: EXAMPLE
 * Looked up domain SID: S-1-5-21-1359228752-1939148235-490032057
 * Using fully qualified name: rhel8client.example.test
 * Using domain name: example.com
 * Using computer account name: RHEL8CLIENT
 * Using domain realm: example.com
 * Calculated computer account name from fqdn: RHEL8CLIENT
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for RHEL8CLIENT$ at: CN=RHEL8CLIENT,CN=Computers,DC=example,DC=com
 * Sending netlogon pings to domain controller: cldap://192.168.122.65
 * Received NetLogon info from: WIN-CEC47TMBJQM.example.com
 * Set computer password
 * Retrieved kvno '4' for computer account in directory: CN=RHEL8CLIENT,CN=Computers,DC=example,DC=com
adcli: 'code == 0' not true at _adcli_krb5_keytab_test_salt
 ! Couldn't authenticate with keytab while discovering which salt to use: RHEL8CLIENT$@EXAMPLE.COM: Cryptosystem internal error
 ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Cryptosystem internal error
adcli: joining domain example.com failed: Couldn't add keytab entries: FILE:/etc/krb5.keytab: Cryptosystem internal error


Version-Release number of selected component (if applicable):
adcli-0.8.2-2.el8


How reproducible:
Enable FIPS mode with `fips-mode-setup --enable`, reboot machine and issue quoted command.

Comment 2 shpetim 2019-08-13 14:35:31 UTC

Confirmed it on RHEL 8 running on VM.

someone had a adcli-0.8.2-3.el8 that i cannot find around.

# fips-mode-setup --disable
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be disabled.
Please reboot the system for the setting to take effect.

i had the system policy to fips.

someone has to fix this i could not join the active directory domain with it enabled.



=Tim

Comment 3 shpetim 2019-08-13 14:40:11 UTC

(In reply to shpetim from comment #2)
> Confirmed it on RHEL 8 running on VM.
> 
> someone had a adcli-0.8.2-3.el8 that i cannot find around.
> 
> # fips-mode-setup --disable
> Setting system policy to DEFAULT
> Note: System-wide crypto policies are applied on application start-up.
> It is recommended to restart the system for the change of policies
> to fully take place.
> FIPS mode will be disabled.
> Please reboot the system for the setting to take effect.
> 
> i had the system policy to fips.
> 
> someone has to fix this i could not join the active directory domain with it
> enabled.
> 
> 
> 
> =Tim

OI forgot to mentioned the packages i have installed:

rpm -q adcli realmd krb5-libs

krb5-libs-1.16.1-22.el8.x86_64
sssd-ad-2.0.0-43.el8_0.3.x86_64
sssd-2.0.0-43.el8_0.3.x86_64
realmd-0.16.3-16.el8.x86_64
oddjob-0.34.4-7.el8.x86_64
oddjob-mkhomedir-0.34.4-7.el8.x86_64
adcli-0.8.2-2.el8.x86_64
samba-common-4.9.1-8.el8.noarch


Linux ######################## 4.18.0-80.7.2.el8_0.x86_64 #1 SMP Fri Jul 26 10:48:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Comment 4 Sumit Bose 2019-08-13 19:01:09 UTC

(In reply to shpetim from comment #2)
> Confirmed it on RHEL 8 running on VM.
> 
> someone had a adcli-0.8.2-3.el8 that i cannot find around.

Hi,

adcli-0.8.2-3.el8 should be already available in the RHEL-8.1 beta.

HTH

bye,
Sumit

> 
> # fips-mode-setup --disable
> Setting system policy to DEFAULT
> Note: System-wide crypto policies are applied on application start-up.
> It is recommended to restart the system for the change of policies
> to fully take place.
> FIPS mode will be disabled.
> Please reboot the system for the setting to take effect.
> 
> i had the system policy to fips.
> 
> someone has to fix this i could not join the active directory domain with it
> enabled.
> 
> 
> 
> =Tim

Comment 5 shpetim 2019-08-13 19:08:50 UTC

thanks a lot for the reply. 

how can i get it for the 8.0 i am using ?

=Tim

Comment 6 Sumit Bose 2019-08-14 06:38:32 UTC

(In reply to shpetim from comment #5)
> thanks a lot for the reply. 
> 
> how can i get it for the 8.0 i am using ?
> 
> =Tim

Hi,

Please have a look at https://www.redhat.com/en/blog/red-hat-enterprise-linux-81-beta-now-available. If I understand it correctly a valid subscription should be sufficient.

bye,
Sumit

Comment 7 Niranjan Mallapadi Raghavender 2019-09-10 03:44:23 UTC

[root@dell-r730-041 ~]# rpm -q adcli
adcli-0.8.2-3.el8.x86_64

[root@dell-r730-041 ~]# KRB5_TRACE=/dev/stdout adcli join --verbose --domain CYGNUS.TEST --domain-realm CYGNUS.TEST --domain-controller 10.65.201.120 --login-type user --login-user Administrator
 * Using domain name: CYGNUS.TEST
 * Calculated computer account name from fqdn: DELL-R730-041
 * Using domain realm: CYGNUS.TEST
 * Sending netlogon pings to domain controller: cldap://10.65.201.120
 * Received NetLogon info from: srv1.cygnus.test
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-BOgKge/krb5.d/adcli-krb5-conf-cZSqHM
[3360] 1568086919.525536: Resolving unique ccache of type MEMORY
Password for Administrator:
[3360] 1568086922.439246: Getting initial credentials for Administrator
[3360] 1568086922.439247: Unrecognized SPAKE group name: edwards25519
[3360] 1568086922.439249: Sending unauthenticated request
[3360] 1568086922.439250: Sending request (210 bytes) to CYGNUS.TEST
[3360] 1568086922.439251: Resolving hostname 10.65.201.120
[3360] 1568086922.439252: Sending initial UDP request to dgram 10.65.201.120:88
[3360] 1568086922.439253: Received answer (190 bytes) from dgram 10.65.201.120:88
[3360] 1568086922.439254: Response was from master KDC
[3360] 1568086922.439255: Received error from KDC: -1765328359/Additional pre-authentication required
[3360] 1568086922.439258: Preauthenticating using KDC method data
[3360] 1568086922.439259: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[3360] 1568086922.439260: Selected etype info: etype aes256-cts, salt "CYGNUS.TESTAdministrator", params ""
[3360] 1568086922.439261: AS key obtained for encrypted timestamp: aes256-cts/99D4
[3360] 1568086922.439263: Encrypted timestamp (for 1568086922.963827): plain 301AA011180F32303139303931303033343230325AA10502030EB4F3, encrypted F51319DD90E95DF52B9CDBB60A53B059BE0BA3258192A1337964BE577497C85DE5CDEB01BDBA1F196513BDBCE7DA1C142C231BFD80BBE7A2
[3360] 1568086922.439264: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3360] 1568086922.439265: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[3360] 1568086922.439266: Sending request (290 bytes) to CYGNUS.TEST
[3360] 1568086922.439267: Resolving hostname 10.65.201.120
[3360] 1568086922.439268: Sending initial UDP request to dgram 10.65.201.120:88
[3360] 1568086922.439269: Received answer (94 bytes) from dgram 10.65.201.120:88
[3360] 1568086922.439270: Response was from master KDC
[3360] 1568086922.439271: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3360] 1568086922.439272: Request or response is too big for UDP; retrying with TCP
[3360] 1568086922.439273: Sending request (290 bytes) to CYGNUS.TEST (tcp only)
[3360] 1568086922.439274: Resolving hostname 10.65.201.120
[3360] 1568086922.439275: Initiating TCP connection to stream 10.65.201.120:88
[3360] 1568086923.122149: Sending TCP request to stream 10.65.201.120:88
[3360] 1568086923.122150: Received answer (1555 bytes) from stream 10.65.201.120:88
[3360] 1568086923.122151: Terminating TCP connection to stream 10.65.201.120:88
[3360] 1568086923.122152: Response was from master KDC
[3360] 1568086923.122153: Processing preauth types: PA-ETYPE-INFO2 (19)
[3360] 1568086923.122154: Selected etype info: etype aes256-cts, salt "CYGNUS.TESTAdministrator", params ""
[3360] 1568086923.122155: Produced preauth for next request: (empty)
[3360] 1568086923.122156: AS key determined by preauth: aes256-cts/99D4
[3360] 1568086923.122157: Decrypted AS reply; session key is: aes256-cts/2206
[3360] 1568086923.122158: FAST negotiation: unavailable
[3360] 1568086923.122159: Initializing MEMORY:UoSUFxe with default princ Administrator
[3360] 1568086923.122160: Storing Administrator -> krbtgt/CYGNUS.TEST in MEMORY:UoSUFxe
[3360] 1568086923.122161: Storing config in MEMORY:UoSUFxe for krbtgt/CYGNUS.TEST: pa_type: 2
[3360] 1568086923.122162: Storing Administrator -> krb5_ccache_conf_data/pa_type/krbtgt\/CYGNUS.TEST\@CYGNUS.TEST@X-CACHECONF: in MEMORY:UoSUFxe
 * Authenticated as user: Administrator
[3360] 1568086923.122166: Getting credentials Administrator -> ldap/srv1.cygnus.test using ccache MEMORY:UoSUFxe
[3360] 1568086923.122167: Retrieving Administrator -> ldap/srv1.cygnus.test from MEMORY:UoSUFxe with result: -1765328243/Matching credential not found
[3360] 1568086923.122168: Retrieving Administrator -> krbtgt/CYGNUS.TEST from MEMORY:UoSUFxe with result: 0/Success
[3360] 1568086923.122169: Starting with TGT for client realm: Administrator -> krbtgt/CYGNUS.TEST
[3360] 1568086923.122170: Requesting tickets for ldap/srv1.cygnus.test, referrals on
[3360] 1568086923.122171: Generated subkey for TGS request: aes256-cts/FCCA
[3360] 1568086923.122172: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[3360] 1568086923.122174: Encoding request body and padata into FAST request
[3360] 1568086923.122175: Sending request (1717 bytes) to CYGNUS.TEST
[3360] 1568086923.122176: Resolving hostname 10.65.201.120
[3360] 1568086923.122177: Initiating TCP connection to stream 10.65.201.120:88
[3360] 1568086923.122178: Sending TCP request to stream 10.65.201.120:88
[3360] 1568086924.10678: Received answer (1734 bytes) from stream 10.65.201.120:88
[3360] 1568086924.10679: Terminating TCP connection to stream 10.65.201.120:88
[3360] 1568086924.10680: Response was from master KDC
[3360] 1568086924.10681: Decoding FAST response
[3360] 1568086924.10682: FAST reply key: aes256-cts/358A
[3360] 1568086924.10683: TGS reply is for Administrator -> ldap/srv1.cygnus.test with session key aes256-cts/E4AC
[3360] 1568086924.10684: TGS request result: 0/Success
[3360] 1568086924.10685: Received creds for desired service ldap/srv1.cygnus.test
[3360] 1568086924.10686: Storing Administrator -> ldap/srv1.cygnus.test in MEMORY:UoSUFxe
[3360] 1568086924.10688: Creating authenticator for Administrator -> ldap/srv1.cygnus.test, seqnum 1070806145, subkey aes256-cts/436D, session key aes256-cts/E4AC
[3360] 1568086924.10693: Read AP-REP, time 1568086925.10689, subkey aes256-cts/1E71, seqnum 1051364748
 * Looked up short domain name: CYGNUS
 * Looked up domain SID: S-1-5-21-362265945-4067830278-750207296
 * Using fully qualified name: dell-r730-041.dsal.lab.eng.rdu2.redhat.com
 * Using domain name: CYGNUS.TEST
 * Using computer account name: DELL-R730-041
 * Using domain realm: CYGNUS.TEST
 * Calculated computer account name from fqdn: DELL-R730-041
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for DELL-R730-041$ does not exist
 * Found well known computer container at: CN=Computers,DC=cygnus,DC=test
 * Calculated computer account: CN=DELL-R730-041,CN=Computers,DC=cygnus,DC=test
 * Created computer account: CN=DELL-R730-041,CN=Computers,DC=cygnus,DC=test
 * Sending netlogon pings to domain controller: cldap://10.65.201.120
 * Received NetLogon info from: srv1.cygnus.test
[3360] 1568086926.670202: Getting credentials Administrator -> kadmin/changepw using ccache MEMORY:UoSUFxe
[3360] 1568086926.670203: Retrieving Administrator -> kadmin/changepw from MEMORY:UoSUFxe with result: -1765328243/Matching credential not found
[3360] 1568086926.670204: Retrieving Administrator -> krbtgt/CYGNUS.TEST from MEMORY:UoSUFxe with result: 0/Success
[3360] 1568086926.670205: Starting with TGT for client realm: Administrator -> krbtgt/CYGNUS.TEST
[3360] 1568086926.670206: Requesting tickets for kadmin/changepw, referrals on
[3360] 1568086926.670207: Generated subkey for TGS request: aes256-cts/4D61
[3360] 1568086926.670208: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[3360] 1568086926.670210: Encoding request body and padata into FAST request
[3360] 1568086926.670211: Sending request (1704 bytes) to CYGNUS.TEST
[3360] 1568086926.670212: Resolving hostname 10.65.201.120
[3360] 1568086926.670213: Initiating TCP connection to stream 10.65.201.120:88
[3360] 1568086926.670214: Sending TCP request to stream 10.65.201.120:88
[3360] 1568086927.111213: Received answer (1722 bytes) from stream 10.65.201.120:88
[3360] 1568086927.111214: Terminating TCP connection to stream 10.65.201.120:88
[3360] 1568086927.111215: Response was from master KDC
[3360] 1568086927.111216: Decoding FAST response
[3360] 1568086927.111217: FAST reply key: aes256-cts/9235
[3360] 1568086927.111218: TGS reply is for Administrator -> kadmin/changepw with session key aes256-cts/B1DD
[3360] 1568086927.111219: TGS request result: 0/Success
[3360] 1568086927.111220: Received creds for desired service kadmin/changepw
[3360] 1568086927.111221: Storing Administrator -> kadmin/changepw in MEMORY:UoSUFxe
[3360] 1568086927.111223: Creating authenticator for Administrator -> kadmin/changepw, seqnum 0, subkey aes256-cts/D266, session key aes256-cts/B1DD
[3360] 1568086927.111225: Resolving hostname 10.65.201.120
[3360] 1568086927.111226: Initiating TCP connection to stream 10.65.201.120:464
[3360] 1568086927.111227: Sending TCP request to stream 10.65.201.120:464
[3360] 1568086927.111228: Received answer (173 bytes) from stream 10.65.201.120:464
[3360] 1568086927.111229: Terminating TCP connection to stream 10.65.201.120:464
[3360] 1568086927.111230: Read AP-REP, time 1568086928.111224, subkey (null), seqnum 0
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=DELL-R730-041,CN=Computers,DC=cygnus,DC=test
 * Checking RestrictedKrbHost/dell-r730-041.dsal.lab.eng.rdu2.redhat.com
 *    Added RestrictedKrbHost/dell-r730-041.dsal.lab.eng.rdu2.redhat.com
 * Checking RestrictedKrbHost/DELL-R730-041
 *    Added RestrictedKrbHost/DELL-R730-041
 * Checking host/dell-r730-041.dsal.lab.eng.rdu2.redhat.com
 *    Added host/dell-r730-041.dsal.lab.eng.rdu2.redhat.com
 * Checking host/DELL-R730-041
 *    Added host/DELL-R730-041
[3360] 1568086927.111231: Getting initial credentials for DELL-R730-041$@CYGNUS.TEST
[3360] 1568086927.111232: Looked up etypes in keytab: aes256-cts, aes128-cts
[3360] 1568086927.111234: Sending unauthenticated request
[3360] 1568086927.111235: Sending request (211 bytes) to CYGNUS.TEST
[3360] 1568086927.111236: Resolving hostname 10.65.201.120
[3360] 1568086927.111237: Sending initial UDP request to dgram 10.65.201.120:88
[3360] 1568086928.35327: Received answer (206 bytes) from dgram 10.65.201.120:88
[3360] 1568086928.35328: Response was from master KDC
[3360] 1568086928.35329: Received error from KDC: -1765328359/Additional pre-authentication required
[3360] 1568086928.35332: Preauthenticating using KDC method data
[3360] 1568086928.35333: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[3360] 1568086928.35334: Selected etype info: etype aes256-cts, salt "CYGNUS.TESThostdell-r730-041.cygnus.test", params ""
[3360] 1568086928.35335: Retrieving DELL-R730-041$@CYGNUS.TEST from MEMORY:adcli-discover-salt (vno 0, enctype aes256-cts) with result: 0/Success
[3360] 1568086928.35336: AS key obtained for encrypted timestamp: aes256-cts/9D3D
[3360] 1568086928.35338: Encrypted timestamp (for 1568086927.323163): plain 301AA011180F32303139303931303033343230375AA105020304EE5B, encrypted 93AA9781FA2E52CD2806024EBC3CF5720C0BF20C15771A7D9A4A21221EBF589097DB7E1D36EB5E00E5F83F33644B33FB5F6037638DB95131
[3360] 1568086928.35339: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3360] 1568086928.35340: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[3360] 1568086928.35341: Sending request (291 bytes) to CYGNUS.TEST
[3360] 1568086928.35342: Resolving hostname 10.65.201.120
[3360] 1568086928.35343: Sending initial UDP request to dgram 10.65.201.120:88
[3360] 1568086928.35344: Received answer (173 bytes) from dgram 10.65.201.120:88
[3360] 1568086928.35345: Response was from master KDC
[3360] 1568086928.35346: Received error from KDC: -1765328360/Preauthentication failed
[3360] 1568086928.35349: Getting initial credentials for DELL-R730-041$@CYGNUS.TEST
[3360] 1568086928.35350: Looked up etypes in keytab: aes256-cts, aes128-cts
[3360] 1568086928.35352: Sending unauthenticated request
[3360] 1568086928.35353: Sending request (211 bytes) to CYGNUS.TEST
[3360] 1568086928.35354: Resolving hostname 10.65.201.120
[3360] 1568086928.35355: Sending initial UDP request to dgram 10.65.201.120:88
[3360] 1568086928.35356: Received answer (206 bytes) from dgram 10.65.201.120:88
[3360] 1568086928.35357: Response was from master KDC
[3360] 1568086928.35358: Received error from KDC: -1765328359/Additional pre-authentication required
[3360] 1568086928.35361: Preauthenticating using KDC method data
[3360] 1568086928.35362: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[3360] 1568086928.35363: Selected etype info: etype aes256-cts, salt "CYGNUS.TESThostdell-r730-041.cygnus.test", params ""
[3360] 1568086928.35364: Retrieving DELL-R730-041$@CYGNUS.TEST from MEMORY:adcli-discover-salt (vno 0, enctype aes256-cts) with result: 0/Success
[3360] 1568086928.35365: AS key obtained for encrypted timestamp: aes256-cts/2075
[3360] 1568086928.35367: Encrypted timestamp (for 1568086928.776364): plain 301AA011180F32303139303931303033343230385AA10502030BD8AC, encrypted 979D25063F487CC4AAB19A7BF570EFA9F3564CE937CB11CDB2BFA36E01735709F01B2C87C98D2828CA2D62C27A17F21B56138E04914E4DDA
[3360] 1568086928.35368: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3360] 1568086928.35369: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[3360] 1568086928.35370: Sending request (291 bytes) to CYGNUS.TEST
[3360] 1568086928.35371: Resolving hostname 10.65.201.120
[3360] 1568086928.35372: Sending initial UDP request to dgram 10.65.201.120:88
[3360] 1568086928.35373: Received answer (94 bytes) from dgram 10.65.201.120:88
[3360] 1568086928.35374: Response was from master KDC
[3360] 1568086928.35375: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3360] 1568086928.35376: Request or response is too big for UDP; retrying with TCP
[3360] 1568086928.35377: Sending request (291 bytes) to CYGNUS.TEST (tcp only)
[3360] 1568086928.35378: Resolving hostname 10.65.201.120
[3360] 1568086928.35379: Initiating TCP connection to stream 10.65.201.120:88
[3360] 1568086928.35380: Sending TCP request to stream 10.65.201.120:88
[3360] 1568086929.148986: Received answer (1541 bytes) from stream 10.65.201.120:88
[3360] 1568086929.148987: Terminating TCP connection to stream 10.65.201.120:88
[3360] 1568086929.148988: Response was from master KDC
[3360] 1568086929.148989: Processing preauth types: PA-ETYPE-INFO2 (19)
[3360] 1568086929.148990: Selected etype info: etype aes256-cts, salt "CYGNUS.TESThostdell-r730-041.cygnus.test", params ""
[3360] 1568086929.148991: Produced preauth for next request: (empty)
[3360] 1568086929.148992: AS key determined by preauth: aes256-cts/2075
[3360] 1568086929.148993: Decrypted AS reply; session key is: aes256-cts/3E5B
[3360] 1568086929.148994: FAST negotiation: unavailable
 * Discovered which keytab salt to use
 * Added the entries to the keytab: DELL-R730-041$@CYGNUS.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/DELL-R730-041: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/dell-r730-041.dsal.lab.eng.rdu2.redhat.com: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/DELL-R730-041: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/dell-r730-041.dsal.lab.eng.rdu2.redhat.com: FILE:/etc/krb5.keytab

[root@dell-r730-041 ~]# fips-mode-setup --check
FIPS mode is enabled.

Comment 9 errata-xmlrpc 2019-11-05 22:33:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3649

Note You need to log in before you can comment on or make changes to this bug.