Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1924707

Summary: Establishing trust with AD domain using shared secret fails in FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Sergey Orlov <sorlov>
Component: ipaAssignee: Trivino <ftrivino>
Status: CLOSED MIGRATED QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: lmcgarry
Priority: high    
Version: 8.4CC: abokovoy, awestbro, ftrivino, gkaihoro, pasik, rcritten, ssidhaye, tscherf
Target Milestone: rcKeywords: Documentation, MigratedToJIRA, Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.FIPS mode does not support using a shared secret to establish a cross-forest trust Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP authentication is not FIPS-compliant. To work around this problem, authenticate with an Active Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS mode enabled and an AD domain.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-18 18:39:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/httpd/error_log
none
/var/log/samba/log.smbd
none
network traffic for first attempt to run CreateLocalSideOfTrustRelationship
none
network traffic for second attempt to run CreateLocalSideOfTrustRelationship
none
/var/log/samba
none
network traffic for CreateLocalSideOfTrustRelationship without FIPS
none
logs with rc4 disabled on Windows side none

Description Sergey Orlov 2021-02-03 13:40:52 UTC 
Description of problem:
When trying to establish trust with AD domain with IPA in FIPS mode creation of Windows side of trust fails with "Access denied"

Version-Release number of selected component (if applicable):

ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Execute test suite: freeipa/ipatests/test_integration/test_trust.py
2. Look at results of test case "test_establish_forest_trust_with_shared_secret"

Actual results:
transport.py               513 DEBUG    RUN ['powershell', '-c', '[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().CreateLocalSideOfTrustRelationship("testrelm.test", 1, "qwertyuiopQq!1")']
transport.py               558 DEBUG    bash: line 2: /home/Administrator/env.sh: No such file or directory
transport.py               558 DEBUG    Exception calling "CreateLocalSideOfTrustRelationship" with "3" argument(s): "Access is denied.
transport.py               558 DEBUG    "
transport.py               558 DEBUG    At line:1 char:1
transport.py               558 DEBUG    + [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest() ...
transport.py               558 DEBUG    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
transport.py               558 DEBUG        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
transport.py               558 DEBUG        + FullyQualifiedErrorId : UnauthorizedAccessException
transport.py               558 DEBUG     
transport.py               214 ERROR    Exit code: 1



Additional info:
The test succeeds in non-FIPS mode in otherwise equivalent environment.
Comment 1 Alexander Bokovoy 2021-02-09 09:59:12 UTC 
Please collect Samba debug logs and network traces between IPA and AD DCs during this test run. All traffic, both TCP and UDP.
Comment 2 Sergey Orlov 2021-02-11 15:40:42 UTC 
With "log level = 10" in /usr/share/ipa/smb.conf.empty no lines are added to /var/log/httpd/error_log during execution of CreateLocalSideOfTrustRelationship

In attached log the last message is dated "16:10:30" while command was executed around 16:24
I also attach two trafic logs for two sequental attempts to execute CreateLocalSideOfTrustRelationship

master1.testrelm.test is 192.168.121.73
ad1.ad.test is 192.168.121.165
Comment 3 Sergey Orlov 2021-02-11 15:42:09 UTC 
Created attachment 1756396 [details]
/var/log/httpd/error_log
Comment 4 Sergey Orlov 2021-02-11 15:42:52 UTC 
Created attachment 1756397 [details]
/var/log/samba/log.smbd
Comment 5 Sergey Orlov 2021-02-11 15:44:05 UTC 
Created attachment 1756398 [details]
network traffic for first attempt to run CreateLocalSideOfTrustRelationship
Comment 6 Sergey Orlov 2021-02-11 15:44:30 UTC 
Created attachment 1756399 [details]
network traffic for second attempt to run CreateLocalSideOfTrustRelationship
Comment 7 Sergey Orlov 2021-02-11 16:05:23 UTC 
Created attachment 1756400 [details]
/var/log/samba

Samba logs collected with "net conf setparm global loglevel 10"
Comment 8 Sergey Orlov 2021-02-11 16:19:23 UTC 
I have tried to establish trust using Windows GUI as explained in https://freeipa.readthedocs.io/en/latest/designs/adtrust/oneway-trust-with-shared-secret.html

In step "Choose ‘Forest trust’ on the Trust Type page" it presents another dialog: "To create this trust relationship you must supply user credentials for the specified domain"
Comment 9 Sergey Orlov 2021-02-11 16:25:21 UTC 
Created attachment 1756403 [details]
network traffic for CreateLocalSideOfTrustRelationship without FIPS
Comment 10 Sergey Orlov 2021-02-11 16:27:18 UTC 
Without FIPS both variants works.
I have provided network traffic capture for establishing trust using PowerShell.
Comment 11 Alexander Bokovoy 2021-02-12 10:01:02 UTC 
So, according to the network traffic for non-FIPS mode, AD DC attempts to auth to IPA DC with NTLMSSP. That's blocked in FIPS mode because RC4 (NTLM hash) is not allowed in FIPS mode, so that should be expected. 

The difference: in case of non-FIPS we respond with with STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE which leads to eventual STATUS_LOGON_FAILURE and then use of a different method. In FIPS mode we don't do that and AD DC never goes further with a different method.
Comment 12 Sergey Orlov 2021-02-12 15:02:09 UTC 
Created attachment 1756632 [details]
logs with rc4 disabled on Windows side
Comment 13 Alexander Bokovoy 2021-02-16 08:46:11 UTC 
This warrant more investigation which may prove it would be not possible to use a shared secret trust in FIPS mode.
I added a documentation note for RHEL 8.4.
Comment 14 Florence Blanc-Renaud 2021-02-16 09:47:39 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8715
Comment 17 Sergey Orlov 2021-02-19 15:25:55 UTC 
Tests for trust with shared secret should be skipped in FIPS mode: https://bugzilla.redhat.com/show_bug.cgi?id=1930796
Comment 32 Josip Vilicic 2023-01-24 21:30:16 UTC 
Hi Triviño,

Do you know if it looks like this bug might get fixed in time for RHEL 8.8?

Take care,

Josip
Comment 36 RHEL Program Management 2023-09-18 18:37:38 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 37 RHEL Program Management 2023-09-18 18:39:49 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Comment 38 Red Hat Bugzilla 2024-01-17 04:25:07 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days