RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1860129 - ipa trust-add fails when FIPS enabled
Summary: ipa trust-add fails when FIPS enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
: 1874396 (view as bug list)
Depends On:
Blocks: 1793411 1894575
TreeView+ depends on / blocked
 
Reported: 2020-07-23 18:20 UTC by Scott Poore
Modified: 2024-03-25 16:12 UTC (History)
18 users (show)

Fixed In Version: ipa-4.9.1-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:48:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 8655 0 None None None 2021-01-13 08:40:17 UTC

Description Scott Poore 2020-07-23 18:20:52 UTC 
Description of problem:

When FIPS is enabled on a RHEL8 IPA Server, I cannot add an AD trust:

# echo Secret123 | ipa trust-add adcs19.test    --two-way True --admin Administrator --password
ipa: ERROR: CIFS server communication error: code "3221225495", message "{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation." (both may be "None")


Version-Release number of selected component (if applicable):
ipa-server-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64

How reproducible:
always


Steps to Reproduce:
1.  Enable FIPS mode on server
2.  Install IPA
3.  setup DNS as necessary for IPA and AD
4.  ipa trust-add

Actual results:
Error as shown above

Expected results:
Adds trust with AD server.

Additional info:
Comment 4 Kaleem 2020-09-08 12:17:11 UTC 
*** Bug 1874396 has been marked as a duplicate of this bug. ***
Comment 10 Alexander Bokovoy 2021-01-13 18:57:17 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/cf17b7af5a8cd835ae20fe23a57fe656481e27a3
https://pagure.io/freeipa/c/e157ea1e14edd239c58847957fe0ae7c7fa5c9ab
https://pagure.io/freeipa/c/fd15f60216b4098d0423fc39a0ad62293df5d116
Comment 11 Florence Blanc-Renaud 2021-01-14 09:08:14 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/753246f4e82af5697ee51bdc7f667959e1824be1
https://pagure.io/freeipa/c/8ab9bf68a4d12c8763c1669d0c14b7771a3289da
https://pagure.io/freeipa/c/3fa07a108030265dc89921a37216a1184e1e7516
Comment 13 Rob Crittenden 2021-01-22 17:24:06 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/968f8ada650ead218055026d1acfb5d41b87cdf0
https://pagure.io/freeipa/c/e6f8d8bc9bc53fe6947867e4918585654fd4acfb
https://pagure.io/freeipa/c/75882516c4126fde403291357c991917616a5314
https://pagure.io/freeipa/c/a1e2fe9c32ca44e4c06aadd6aa75565ccb6910c3
https://pagure.io/freeipa/c/08d7d90ab0934ecefaaccf7866c73dca8ccf636f
https://pagure.io/freeipa/c/214aeb724308c91847d4643a9a4f4c2d38d5abfa
https://pagure.io/freeipa/c/9d19c08269226ec15a6e99208aff66ca85fe2c51
https://pagure.io/freeipa/c/94242563d52adc0d6c539a78a70b5e486d6047ed
https://pagure.io/freeipa/c/ae7cd4702dcbeb9479a3e4975a44f5e7b17061f5
https://pagure.io/freeipa/c/54e5ffc0005d273773618fb0c23f96cc7e4a16c1
Comment 14 Rob Crittenden 2021-01-23 02:12:53 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/f8bf37422b7c49a4a39b4704b18158b37ee9ef80
https://pagure.io/freeipa/c/962052a0567b6878843272b1882d0a0b3b2debd1
https://pagure.io/freeipa/c/2e8eb0f5fe82be58be88fa0d9b07ee7af69d8829
https://pagure.io/freeipa/c/e8f927db7da00d1671f871d3b2e89429aec3beb9
https://pagure.io/freeipa/c/f103172954c259443f0c5b4ac89474e66cf3a1d6
https://pagure.io/freeipa/c/3d706b6f57309ec394df617cecb9a73d021fc2f7
https://pagure.io/freeipa/c/dc16c2484c1006bc249848383d86ef828abd921a
https://pagure.io/freeipa/c/b53592492879f87465774eb9a4d6c02a8ba26a5e
https://pagure.io/freeipa/c/c842d4b5c2404d263d56aa0c4ba33fe32b2ca61e
https://pagure.io/freeipa/c/9f63afb4408e308c2ee972a72875525afefa5d54
Comment 22 Michal Polovka 2021-02-02 11:36:57 UTC 
Verified using ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 and ipa-server-trust-ad-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64 in RHEL8.4 nightly build running in FIPS mode.

Passed 	test_integration/test_trust.py::TestTrust::()::test_establish_nonposix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_trustdomains_found_in_nonposix_trust 	 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_range_properties_in_nonposix_trust 		
Passed 	test_integration/test_trust.py::TestTrust::()::test_user_gid_uid_resolution_in_nonposix_trust 		
Passed 	test_integration/test_trust.py::TestTrust::()::test_ipa_commands_run_as_aduser 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_ipa_management_run_as_aduser 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_password_login_as_aduser 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_ipauser_authentication_with_nonposix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_upn_in_nonposix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_upn_user_resolution_in_nonposix_trust 		
Passed 	test_integration/test_trust.py::TestTrust::()::test_upn_user_authentication_in_nonposix_trust 	 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_users 		
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_groups 	 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasuser 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasuser_group 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_sudorules_ad_runasgroup 		
Passed 	test_integration/test_trust.py::TestTrust::()::test_remove_nonposix_trust 	 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_remove_subordinate_suffixes_trust 	 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_establish_posix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_trustdomains_found_in_posix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_range_properties_in_posix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_user_uid_gid_resolution_in_posix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_user_without_posix_attributes_not_visible 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_override_homedir 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_extdom_plugin 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_remove_posix_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_invalid_range_types 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_establish_external_subdomain_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_trustdomains_found_in_external_subdomain_trust 	 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_user_gid_uid_resolution_in_external_subdomain_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_remove_external_subdomain_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_establish_nonexternal_subdomain_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_establish_external_treedomain_trust 	
Passed 	test_integration/test_trust.py::TestTrust::()::test_trustdomains_found_in_external_treedomain_trust 		
Passed 	test_integration/test_trust.py::TestTrust::()::test_user_gid_uid_resolution_in_external_treedomain_trust 
Passed 	test_integration/test_trust.py::TestTrust::()::test_remove_external_treedomain_trust
Passed 	test_integration/test_trust.py::TestTrust::()::test_establish_nonexternal_treedomain_trust 
Passed 	test_integration/test_trust.py::TestTrust::()::test_establish_external_rootdomain_trust	
Passed 	test_integration/test_trust.py::TestTrust::()::test_trustdomains_found_in_external_rootdomain_trust
Passed 	test_integration/test_trust.py::TestTrust::()::test_remove_external_rootdomain_trust

There are failures in other test cases in this test class, however those are unrelated to this BZ. 
Full test log is an attachment of this BZ.
Comment 27 errata-xmlrpc 2021-05-18 15:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846
Comment 28 Red Hat Bugzilla 2023-09-15 00:34:37 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.