This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1924707 - Establishing trust with AD domain using shared secret fails in FIPS mode
Summary: Establishing trust with AD domain using shared secret fails in FIPS mode
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.0
Assignee: Trivino
QA Contact: ipa-qe
lmcgarry
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-03 13:40 UTC by Sergey Orlov
Modified: 2024-01-17 04:25 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.FIPS mode does not support using a shared secret to establish a cross-forest trust Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP authentication is not FIPS-compliant. To work around this problem, authenticate with an Active Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS mode enabled and an AD domain.
Clone Of:
Environment:
Last Closed: 2023-09-18 18:39:49 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
/var/log/httpd/error_log (7.41 KB, text/plain)
2021-02-11 15:42 UTC, Sergey Orlov
no flags Details
/var/log/samba/log.smbd (3.08 KB, text/plain)
2021-02-11 15:42 UTC, Sergey Orlov
no flags Details
network traffic for first attempt to run CreateLocalSideOfTrustRelationship (5.24 KB, application/vnd.tcpdump.pcap)
2021-02-11 15:44 UTC, Sergey Orlov
no flags Details
network traffic for second attempt to run CreateLocalSideOfTrustRelationship (3.58 KB, application/vnd.tcpdump.pcap)
2021-02-11 15:44 UTC, Sergey Orlov
no flags Details
/var/log/samba (8.72 KB, application/gzip)
2021-02-11 16:05 UTC, Sergey Orlov
no flags Details
network traffic for CreateLocalSideOfTrustRelationship without FIPS (9.84 KB, application/vnd.tcpdump.pcap)
2021-02-11 16:25 UTC, Sergey Orlov
no flags Details
logs with rc4 disabled on Windows side (199.89 KB, application/gzip)
2021-02-12 15:02 UTC, Sergey Orlov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7157 0 None None None 2021-10-22 17:49:54 UTC
Red Hat Issue Tracker   RHEL-4847 0 None Migrated None 2023-09-18 18:39:47 UTC

Description Sergey Orlov 2021-02-03 13:40:52 UTC
Description of problem:
When trying to establish trust with AD domain with IPA in FIPS mode creation of Windows side of trust fails with "Access denied"

Version-Release number of selected component (if applicable):

ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Execute test suite: freeipa/ipatests/test_integration/test_trust.py
2. Look at results of test case "test_establish_forest_trust_with_shared_secret"

Actual results:
transport.py               513 DEBUG    RUN ['powershell', '-c', '[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().CreateLocalSideOfTrustRelationship("testrelm.test", 1, "qwertyuiopQq!1")']
transport.py               558 DEBUG    bash: line 2: /home/Administrator/env.sh: No such file or directory
transport.py               558 DEBUG    Exception calling "CreateLocalSideOfTrustRelationship" with "3" argument(s): "Access is denied.
transport.py               558 DEBUG    "
transport.py               558 DEBUG    At line:1 char:1
transport.py               558 DEBUG    + [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest() ...
transport.py               558 DEBUG    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
transport.py               558 DEBUG        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
transport.py               558 DEBUG        + FullyQualifiedErrorId : UnauthorizedAccessException
transport.py               558 DEBUG     
transport.py               214 ERROR    Exit code: 1



Additional info:
The test succeeds in non-FIPS mode in otherwise equivalent environment.

Comment 1 Alexander Bokovoy 2021-02-09 09:59:12 UTC
Please collect Samba debug logs and network traces between IPA and AD DCs during this test run. All traffic, both TCP and UDP.

Comment 2 Sergey Orlov 2021-02-11 15:40:42 UTC
With "log level = 10" in /usr/share/ipa/smb.conf.empty no lines are added to /var/log/httpd/error_log during execution of CreateLocalSideOfTrustRelationship

In attached log the last message is dated "16:10:30" while command was executed around 16:24
I also attach two trafic logs for two sequental attempts to execute CreateLocalSideOfTrustRelationship

master1.testrelm.test is 192.168.121.73
ad1.ad.test is 192.168.121.165

Comment 3 Sergey Orlov 2021-02-11 15:42:09 UTC
Created attachment 1756396 [details]
/var/log/httpd/error_log

Comment 4 Sergey Orlov 2021-02-11 15:42:52 UTC
Created attachment 1756397 [details]
/var/log/samba/log.smbd

Comment 5 Sergey Orlov 2021-02-11 15:44:05 UTC
Created attachment 1756398 [details]
network traffic for first attempt to run CreateLocalSideOfTrustRelationship

Comment 6 Sergey Orlov 2021-02-11 15:44:30 UTC
Created attachment 1756399 [details]
network traffic for second attempt to run CreateLocalSideOfTrustRelationship

Comment 7 Sergey Orlov 2021-02-11 16:05:23 UTC
Created attachment 1756400 [details]
/var/log/samba

Samba logs collected with "net conf setparm global loglevel 10"

Comment 8 Sergey Orlov 2021-02-11 16:19:23 UTC
I have tried to establish trust using Windows GUI as explained in https://freeipa.readthedocs.io/en/latest/designs/adtrust/oneway-trust-with-shared-secret.html

In step "Choose ‘Forest trust’ on the Trust Type page" it presents another dialog: "To create this trust relationship you must supply user credentials for the specified domain"

Comment 9 Sergey Orlov 2021-02-11 16:25:21 UTC
Created attachment 1756403 [details]
network traffic for CreateLocalSideOfTrustRelationship without FIPS

Comment 10 Sergey Orlov 2021-02-11 16:27:18 UTC
Without FIPS both variants works.
I have provided network traffic capture for establishing trust using PowerShell.

Comment 11 Alexander Bokovoy 2021-02-12 10:01:02 UTC
So, according to the network traffic for non-FIPS mode, AD DC attempts to auth to IPA DC with NTLMSSP. That's blocked in FIPS mode because RC4 (NTLM hash) is not allowed in FIPS mode, so that should be expected. 

The difference: in case of non-FIPS we respond with with STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE which leads to eventual STATUS_LOGON_FAILURE and then use of a different method. In FIPS mode we don't do that and AD DC never goes further with a different method.

Comment 12 Sergey Orlov 2021-02-12 15:02:09 UTC
Created attachment 1756632 [details]
logs with rc4 disabled on Windows side

Comment 13 Alexander Bokovoy 2021-02-16 08:46:11 UTC
This warrant more investigation which may prove it would be not possible to use a shared secret trust in FIPS mode.
I added a documentation note for RHEL 8.4.

Comment 14 Florence Blanc-Renaud 2021-02-16 09:47:39 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8715

Comment 17 Sergey Orlov 2021-02-19 15:25:55 UTC
Tests for trust with shared secret should be skipped in FIPS mode: https://bugzilla.redhat.com/show_bug.cgi?id=1930796

Comment 32 Josip Vilicic 2023-01-24 21:30:16 UTC
Hi Triviño,

Do you know if it looks like this bug might get fixed in time for RHEL 8.8?

Take care,

Josip

Comment 36 RHEL Program Management 2023-09-18 18:37:38 UTC
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 37 RHEL Program Management 2023-09-18 18:39:49 UTC
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Comment 38 Red Hat Bugzilla 2024-01-17 04:25:07 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days


Note You need to log in before you can comment on or make changes to this bug.