Bug 1717355
| Summary: | `adcli join` fails in FIPS enabled environment | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexey Tikhonov <atikhono> |
| Component: | adcli | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | mniranja, pcech, sgoveas, shpetim.aliaj |
| Target Milestone: | rc | Flags: | atikhono:
mirror+
|
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | adcli-0.8.2-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:33:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Alexey Tikhonov
2019-06-05 10:22:24 UTC
Confirmed it on RHEL 8 running on VM. someone had a adcli-0.8.2-3.el8 that i cannot find around. # fips-mode-setup --disable Setting system policy to DEFAULT Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be disabled. Please reboot the system for the setting to take effect. i had the system policy to fips. someone has to fix this i could not join the active directory domain with it enabled. =Tim (In reply to shpetim from comment #2) > Confirmed it on RHEL 8 running on VM. > > someone had a adcli-0.8.2-3.el8 that i cannot find around. > > # fips-mode-setup --disable > Setting system policy to DEFAULT > Note: System-wide crypto policies are applied on application start-up. > It is recommended to restart the system for the change of policies > to fully take place. > FIPS mode will be disabled. > Please reboot the system for the setting to take effect. > > i had the system policy to fips. > > someone has to fix this i could not join the active directory domain with it > enabled. > > > > =Tim OI forgot to mentioned the packages i have installed: rpm -q adcli realmd krb5-libs krb5-libs-1.16.1-22.el8.x86_64 sssd-ad-2.0.0-43.el8_0.3.x86_64 sssd-2.0.0-43.el8_0.3.x86_64 realmd-0.16.3-16.el8.x86_64 oddjob-0.34.4-7.el8.x86_64 oddjob-mkhomedir-0.34.4-7.el8.x86_64 adcli-0.8.2-2.el8.x86_64 samba-common-4.9.1-8.el8.noarch Linux ######################## 4.18.0-80.7.2.el8_0.x86_64 #1 SMP Fri Jul 26 10:48:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux (In reply to shpetim from comment #2) > Confirmed it on RHEL 8 running on VM. > > someone had a adcli-0.8.2-3.el8 that i cannot find around. Hi, adcli-0.8.2-3.el8 should be already available in the RHEL-8.1 beta. HTH bye, Sumit > > # fips-mode-setup --disable > Setting system policy to DEFAULT > Note: System-wide crypto policies are applied on application start-up. > It is recommended to restart the system for the change of policies > to fully take place. > FIPS mode will be disabled. > Please reboot the system for the setting to take effect. > > i had the system policy to fips. > > someone has to fix this i could not join the active directory domain with it > enabled. > > > > =Tim thanks a lot for the reply. how can i get it for the 8.0 i am using ? =Tim (In reply to shpetim from comment #5) > thanks a lot for the reply. > > how can i get it for the 8.0 i am using ? > > =Tim Hi, Please have a look at https://www.redhat.com/en/blog/red-hat-enterprise-linux-81-beta-now-available. If I understand it correctly a valid subscription should be sufficient. bye, Sumit [root@dell-r730-041 ~]# rpm -q adcli adcli-0.8.2-3.el8.x86_64 [root@dell-r730-041 ~]# KRB5_TRACE=/dev/stdout adcli join --verbose --domain CYGNUS.TEST --domain-realm CYGNUS.TEST --domain-controller 10.65.201.120 --login-type user --login-user Administrator * Using domain name: CYGNUS.TEST * Calculated computer account name from fqdn: DELL-R730-041 * Using domain realm: CYGNUS.TEST * Sending netlogon pings to domain controller: cldap://10.65.201.120 * Received NetLogon info from: srv1.cygnus.test * Wrote out krb5.conf snippet to /tmp/adcli-krb5-BOgKge/krb5.d/adcli-krb5-conf-cZSqHM [3360] 1568086919.525536: Resolving unique ccache of type MEMORY Password for Administrator: [3360] 1568086922.439246: Getting initial credentials for Administrator [3360] 1568086922.439247: Unrecognized SPAKE group name: edwards25519 [3360] 1568086922.439249: Sending unauthenticated request [3360] 1568086922.439250: Sending request (210 bytes) to CYGNUS.TEST [3360] 1568086922.439251: Resolving hostname 10.65.201.120 [3360] 1568086922.439252: Sending initial UDP request to dgram 10.65.201.120:88 [3360] 1568086922.439253: Received answer (190 bytes) from dgram 10.65.201.120:88 [3360] 1568086922.439254: Response was from master KDC [3360] 1568086922.439255: Received error from KDC: -1765328359/Additional pre-authentication required [3360] 1568086922.439258: Preauthenticating using KDC method data [3360] 1568086922.439259: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [3360] 1568086922.439260: Selected etype info: etype aes256-cts, salt "CYGNUS.TESTAdministrator", params "" [3360] 1568086922.439261: AS key obtained for encrypted timestamp: aes256-cts/99D4 [3360] 1568086922.439263: Encrypted timestamp (for 1568086922.963827): plain 301AA011180F32303139303931303033343230325AA10502030EB4F3, encrypted F51319DD90E95DF52B9CDBB60A53B059BE0BA3258192A1337964BE577497C85DE5CDEB01BDBA1F196513BDBCE7DA1C142C231BFD80BBE7A2 [3360] 1568086922.439264: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [3360] 1568086922.439265: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [3360] 1568086922.439266: Sending request (290 bytes) to CYGNUS.TEST [3360] 1568086922.439267: Resolving hostname 10.65.201.120 [3360] 1568086922.439268: Sending initial UDP request to dgram 10.65.201.120:88 [3360] 1568086922.439269: Received answer (94 bytes) from dgram 10.65.201.120:88 [3360] 1568086922.439270: Response was from master KDC [3360] 1568086922.439271: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [3360] 1568086922.439272: Request or response is too big for UDP; retrying with TCP [3360] 1568086922.439273: Sending request (290 bytes) to CYGNUS.TEST (tcp only) [3360] 1568086922.439274: Resolving hostname 10.65.201.120 [3360] 1568086922.439275: Initiating TCP connection to stream 10.65.201.120:88 [3360] 1568086923.122149: Sending TCP request to stream 10.65.201.120:88 [3360] 1568086923.122150: Received answer (1555 bytes) from stream 10.65.201.120:88 [3360] 1568086923.122151: Terminating TCP connection to stream 10.65.201.120:88 [3360] 1568086923.122152: Response was from master KDC [3360] 1568086923.122153: Processing preauth types: PA-ETYPE-INFO2 (19) [3360] 1568086923.122154: Selected etype info: etype aes256-cts, salt "CYGNUS.TESTAdministrator", params "" [3360] 1568086923.122155: Produced preauth for next request: (empty) [3360] 1568086923.122156: AS key determined by preauth: aes256-cts/99D4 [3360] 1568086923.122157: Decrypted AS reply; session key is: aes256-cts/2206 [3360] 1568086923.122158: FAST negotiation: unavailable [3360] 1568086923.122159: Initializing MEMORY:UoSUFxe with default princ Administrator [3360] 1568086923.122160: Storing Administrator -> krbtgt/CYGNUS.TEST in MEMORY:UoSUFxe [3360] 1568086923.122161: Storing config in MEMORY:UoSUFxe for krbtgt/CYGNUS.TEST: pa_type: 2 [3360] 1568086923.122162: Storing Administrator -> krb5_ccache_conf_data/pa_type/krbtgt\/CYGNUS.TEST\@CYGNUS.TEST@X-CACHECONF: in MEMORY:UoSUFxe * Authenticated as user: Administrator [3360] 1568086923.122166: Getting credentials Administrator -> ldap/srv1.cygnus.test using ccache MEMORY:UoSUFxe [3360] 1568086923.122167: Retrieving Administrator -> ldap/srv1.cygnus.test from MEMORY:UoSUFxe with result: -1765328243/Matching credential not found [3360] 1568086923.122168: Retrieving Administrator -> krbtgt/CYGNUS.TEST from MEMORY:UoSUFxe with result: 0/Success [3360] 1568086923.122169: Starting with TGT for client realm: Administrator -> krbtgt/CYGNUS.TEST [3360] 1568086923.122170: Requesting tickets for ldap/srv1.cygnus.test, referrals on [3360] 1568086923.122171: Generated subkey for TGS request: aes256-cts/FCCA [3360] 1568086923.122172: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [3360] 1568086923.122174: Encoding request body and padata into FAST request [3360] 1568086923.122175: Sending request (1717 bytes) to CYGNUS.TEST [3360] 1568086923.122176: Resolving hostname 10.65.201.120 [3360] 1568086923.122177: Initiating TCP connection to stream 10.65.201.120:88 [3360] 1568086923.122178: Sending TCP request to stream 10.65.201.120:88 [3360] 1568086924.10678: Received answer (1734 bytes) from stream 10.65.201.120:88 [3360] 1568086924.10679: Terminating TCP connection to stream 10.65.201.120:88 [3360] 1568086924.10680: Response was from master KDC [3360] 1568086924.10681: Decoding FAST response [3360] 1568086924.10682: FAST reply key: aes256-cts/358A [3360] 1568086924.10683: TGS reply is for Administrator -> ldap/srv1.cygnus.test with session key aes256-cts/E4AC [3360] 1568086924.10684: TGS request result: 0/Success [3360] 1568086924.10685: Received creds for desired service ldap/srv1.cygnus.test [3360] 1568086924.10686: Storing Administrator -> ldap/srv1.cygnus.test in MEMORY:UoSUFxe [3360] 1568086924.10688: Creating authenticator for Administrator -> ldap/srv1.cygnus.test, seqnum 1070806145, subkey aes256-cts/436D, session key aes256-cts/E4AC [3360] 1568086924.10693: Read AP-REP, time 1568086925.10689, subkey aes256-cts/1E71, seqnum 1051364748 * Looked up short domain name: CYGNUS * Looked up domain SID: S-1-5-21-362265945-4067830278-750207296 * Using fully qualified name: dell-r730-041.dsal.lab.eng.rdu2.redhat.com * Using domain name: CYGNUS.TEST * Using computer account name: DELL-R730-041 * Using domain realm: CYGNUS.TEST * Calculated computer account name from fqdn: DELL-R730-041 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for DELL-R730-041$ does not exist * Found well known computer container at: CN=Computers,DC=cygnus,DC=test * Calculated computer account: CN=DELL-R730-041,CN=Computers,DC=cygnus,DC=test * Created computer account: CN=DELL-R730-041,CN=Computers,DC=cygnus,DC=test * Sending netlogon pings to domain controller: cldap://10.65.201.120 * Received NetLogon info from: srv1.cygnus.test [3360] 1568086926.670202: Getting credentials Administrator -> kadmin/changepw using ccache MEMORY:UoSUFxe [3360] 1568086926.670203: Retrieving Administrator -> kadmin/changepw from MEMORY:UoSUFxe with result: -1765328243/Matching credential not found [3360] 1568086926.670204: Retrieving Administrator -> krbtgt/CYGNUS.TEST from MEMORY:UoSUFxe with result: 0/Success [3360] 1568086926.670205: Starting with TGT for client realm: Administrator -> krbtgt/CYGNUS.TEST [3360] 1568086926.670206: Requesting tickets for kadmin/changepw, referrals on [3360] 1568086926.670207: Generated subkey for TGS request: aes256-cts/4D61 [3360] 1568086926.670208: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [3360] 1568086926.670210: Encoding request body and padata into FAST request [3360] 1568086926.670211: Sending request (1704 bytes) to CYGNUS.TEST [3360] 1568086926.670212: Resolving hostname 10.65.201.120 [3360] 1568086926.670213: Initiating TCP connection to stream 10.65.201.120:88 [3360] 1568086926.670214: Sending TCP request to stream 10.65.201.120:88 [3360] 1568086927.111213: Received answer (1722 bytes) from stream 10.65.201.120:88 [3360] 1568086927.111214: Terminating TCP connection to stream 10.65.201.120:88 [3360] 1568086927.111215: Response was from master KDC [3360] 1568086927.111216: Decoding FAST response [3360] 1568086927.111217: FAST reply key: aes256-cts/9235 [3360] 1568086927.111218: TGS reply is for Administrator -> kadmin/changepw with session key aes256-cts/B1DD [3360] 1568086927.111219: TGS request result: 0/Success [3360] 1568086927.111220: Received creds for desired service kadmin/changepw [3360] 1568086927.111221: Storing Administrator -> kadmin/changepw in MEMORY:UoSUFxe [3360] 1568086927.111223: Creating authenticator for Administrator -> kadmin/changepw, seqnum 0, subkey aes256-cts/D266, session key aes256-cts/B1DD [3360] 1568086927.111225: Resolving hostname 10.65.201.120 [3360] 1568086927.111226: Initiating TCP connection to stream 10.65.201.120:464 [3360] 1568086927.111227: Sending TCP request to stream 10.65.201.120:464 [3360] 1568086927.111228: Received answer (173 bytes) from stream 10.65.201.120:464 [3360] 1568086927.111229: Terminating TCP connection to stream 10.65.201.120:464 [3360] 1568086927.111230: Read AP-REP, time 1568086928.111224, subkey (null), seqnum 0 * Set computer password * Retrieved kvno '2' for computer account in directory: CN=DELL-R730-041,CN=Computers,DC=cygnus,DC=test * Checking RestrictedKrbHost/dell-r730-041.dsal.lab.eng.rdu2.redhat.com * Added RestrictedKrbHost/dell-r730-041.dsal.lab.eng.rdu2.redhat.com * Checking RestrictedKrbHost/DELL-R730-041 * Added RestrictedKrbHost/DELL-R730-041 * Checking host/dell-r730-041.dsal.lab.eng.rdu2.redhat.com * Added host/dell-r730-041.dsal.lab.eng.rdu2.redhat.com * Checking host/DELL-R730-041 * Added host/DELL-R730-041 [3360] 1568086927.111231: Getting initial credentials for DELL-R730-041$@CYGNUS.TEST [3360] 1568086927.111232: Looked up etypes in keytab: aes256-cts, aes128-cts [3360] 1568086927.111234: Sending unauthenticated request [3360] 1568086927.111235: Sending request (211 bytes) to CYGNUS.TEST [3360] 1568086927.111236: Resolving hostname 10.65.201.120 [3360] 1568086927.111237: Sending initial UDP request to dgram 10.65.201.120:88 [3360] 1568086928.35327: Received answer (206 bytes) from dgram 10.65.201.120:88 [3360] 1568086928.35328: Response was from master KDC [3360] 1568086928.35329: Received error from KDC: -1765328359/Additional pre-authentication required [3360] 1568086928.35332: Preauthenticating using KDC method data [3360] 1568086928.35333: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [3360] 1568086928.35334: Selected etype info: etype aes256-cts, salt "CYGNUS.TESThostdell-r730-041.cygnus.test", params "" [3360] 1568086928.35335: Retrieving DELL-R730-041$@CYGNUS.TEST from MEMORY:adcli-discover-salt (vno 0, enctype aes256-cts) with result: 0/Success [3360] 1568086928.35336: AS key obtained for encrypted timestamp: aes256-cts/9D3D [3360] 1568086928.35338: Encrypted timestamp (for 1568086927.323163): plain 301AA011180F32303139303931303033343230375AA105020304EE5B, encrypted 93AA9781FA2E52CD2806024EBC3CF5720C0BF20C15771A7D9A4A21221EBF589097DB7E1D36EB5E00E5F83F33644B33FB5F6037638DB95131 [3360] 1568086928.35339: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [3360] 1568086928.35340: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [3360] 1568086928.35341: Sending request (291 bytes) to CYGNUS.TEST [3360] 1568086928.35342: Resolving hostname 10.65.201.120 [3360] 1568086928.35343: Sending initial UDP request to dgram 10.65.201.120:88 [3360] 1568086928.35344: Received answer (173 bytes) from dgram 10.65.201.120:88 [3360] 1568086928.35345: Response was from master KDC [3360] 1568086928.35346: Received error from KDC: -1765328360/Preauthentication failed [3360] 1568086928.35349: Getting initial credentials for DELL-R730-041$@CYGNUS.TEST [3360] 1568086928.35350: Looked up etypes in keytab: aes256-cts, aes128-cts [3360] 1568086928.35352: Sending unauthenticated request [3360] 1568086928.35353: Sending request (211 bytes) to CYGNUS.TEST [3360] 1568086928.35354: Resolving hostname 10.65.201.120 [3360] 1568086928.35355: Sending initial UDP request to dgram 10.65.201.120:88 [3360] 1568086928.35356: Received answer (206 bytes) from dgram 10.65.201.120:88 [3360] 1568086928.35357: Response was from master KDC [3360] 1568086928.35358: Received error from KDC: -1765328359/Additional pre-authentication required [3360] 1568086928.35361: Preauthenticating using KDC method data [3360] 1568086928.35362: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [3360] 1568086928.35363: Selected etype info: etype aes256-cts, salt "CYGNUS.TESThostdell-r730-041.cygnus.test", params "" [3360] 1568086928.35364: Retrieving DELL-R730-041$@CYGNUS.TEST from MEMORY:adcli-discover-salt (vno 0, enctype aes256-cts) with result: 0/Success [3360] 1568086928.35365: AS key obtained for encrypted timestamp: aes256-cts/2075 [3360] 1568086928.35367: Encrypted timestamp (for 1568086928.776364): plain 301AA011180F32303139303931303033343230385AA10502030BD8AC, encrypted 979D25063F487CC4AAB19A7BF570EFA9F3564CE937CB11CDB2BFA36E01735709F01B2C87C98D2828CA2D62C27A17F21B56138E04914E4DDA [3360] 1568086928.35368: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [3360] 1568086928.35369: Produced preauth for next request: PA-ENC-TIMESTAMP (2) [3360] 1568086928.35370: Sending request (291 bytes) to CYGNUS.TEST [3360] 1568086928.35371: Resolving hostname 10.65.201.120 [3360] 1568086928.35372: Sending initial UDP request to dgram 10.65.201.120:88 [3360] 1568086928.35373: Received answer (94 bytes) from dgram 10.65.201.120:88 [3360] 1568086928.35374: Response was from master KDC [3360] 1568086928.35375: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [3360] 1568086928.35376: Request or response is too big for UDP; retrying with TCP [3360] 1568086928.35377: Sending request (291 bytes) to CYGNUS.TEST (tcp only) [3360] 1568086928.35378: Resolving hostname 10.65.201.120 [3360] 1568086928.35379: Initiating TCP connection to stream 10.65.201.120:88 [3360] 1568086928.35380: Sending TCP request to stream 10.65.201.120:88 [3360] 1568086929.148986: Received answer (1541 bytes) from stream 10.65.201.120:88 [3360] 1568086929.148987: Terminating TCP connection to stream 10.65.201.120:88 [3360] 1568086929.148988: Response was from master KDC [3360] 1568086929.148989: Processing preauth types: PA-ETYPE-INFO2 (19) [3360] 1568086929.148990: Selected etype info: etype aes256-cts, salt "CYGNUS.TESThostdell-r730-041.cygnus.test", params "" [3360] 1568086929.148991: Produced preauth for next request: (empty) [3360] 1568086929.148992: AS key determined by preauth: aes256-cts/2075 [3360] 1568086929.148993: Decrypted AS reply; session key is: aes256-cts/3E5B [3360] 1568086929.148994: FAST negotiation: unavailable * Discovered which keytab salt to use * Added the entries to the keytab: DELL-R730-041$@CYGNUS.TEST: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/DELL-R730-041: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/dell-r730-041.dsal.lab.eng.rdu2.redhat.com: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/DELL-R730-041: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/dell-r730-041.dsal.lab.eng.rdu2.redhat.com: FILE:/etc/krb5.keytab [root@dell-r730-041 ~]# fips-mode-setup --check FIPS mode is enabled. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3649 |