Description of problem:
When trying to establish trust with AD domain with IPA in FIPS mode creation of Windows side of trust fails with "Access denied"
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Execute test suite: freeipa/ipatests/test_integration/test_trust.py
2. Look at results of test case "test_establish_forest_trust_with_shared_secret"
transport.py 513 DEBUG RUN ['powershell', '-c', '[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().CreateLocalSideOfTrustRelationship("testrelm.test", 1, "qwertyuiopQq!1")']
transport.py 558 DEBUG bash: line 2: /home/Administrator/env.sh: No such file or directory
transport.py 558 DEBUG Exception calling "CreateLocalSideOfTrustRelationship" with "3" argument(s): "Access is denied.
transport.py 558 DEBUG "
transport.py 558 DEBUG At line:1 char:1
transport.py 558 DEBUG + [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest() ...
transport.py 558 DEBUG + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
transport.py 558 DEBUG + CategoryInfo : NotSpecified: (:) , MethodInvocationException
transport.py 558 DEBUG + FullyQualifiedErrorId : UnauthorizedAccessException
transport.py 558 DEBUG
transport.py 214 ERROR Exit code: 1
The test succeeds in non-FIPS mode in otherwise equivalent environment.
Please collect Samba debug logs and network traces between IPA and AD DCs during this test run. All traffic, both TCP and UDP.
With "log level = 10" in /usr/share/ipa/smb.conf.empty no lines are added to /var/log/httpd/error_log during execution of CreateLocalSideOfTrustRelationship
In attached log the last message is dated "16:10:30" while command was executed around 16:24
I also attach two trafic logs for two sequental attempts to execute CreateLocalSideOfTrustRelationship
master1.testrelm.test is 192.168.121.73
ad1.ad.test is 192.168.121.165
Created attachment 1756396 [details]
Created attachment 1756397 [details]
Created attachment 1756398 [details]
network traffic for first attempt to run CreateLocalSideOfTrustRelationship
Created attachment 1756399 [details]
network traffic for second attempt to run CreateLocalSideOfTrustRelationship
Created attachment 1756400 [details]
Samba logs collected with "net conf setparm global loglevel 10"
I have tried to establish trust using Windows GUI as explained in https://freeipa.readthedocs.io/en/latest/designs/adtrust/oneway-trust-with-shared-secret.html
In step "Choose ‘Forest trust’ on the Trust Type page" it presents another dialog: "To create this trust relationship you must supply user credentials for the specified domain"
Created attachment 1756403 [details]
network traffic for CreateLocalSideOfTrustRelationship without FIPS
Without FIPS both variants works.
I have provided network traffic capture for establishing trust using PowerShell.
So, according to the network traffic for non-FIPS mode, AD DC attempts to auth to IPA DC with NTLMSSP. That's blocked in FIPS mode because RC4 (NTLM hash) is not allowed in FIPS mode, so that should be expected.
The difference: in case of non-FIPS we respond with with STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE which leads to eventual STATUS_LOGON_FAILURE and then use of a different method. In FIPS mode we don't do that and AD DC never goes further with a different method.
Created attachment 1756632 [details]
logs with rc4 disabled on Windows side
This warrant more investigation which may prove it would be not possible to use a shared secret trust in FIPS mode.
I added a documentation note for RHEL 8.4.
Tests for trust with shared secret should be skipped in FIPS mode: https://bugzilla.redhat.com/show_bug.cgi?id=1930796