Bug 1924707 - Establishing trust with AD domain using shared secret fails in FIPS mode
Summary: Establishing trust with AD domain using shared secret fails in FIPS mode
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.0
Assignee: Thomas Woerner
QA Contact: ipa-qe
Josip Vilicic
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-03 13:40 UTC by Sergey Orlov
Modified: 2021-04-21 20:04 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.FIPS mode does not support using a shared secret to establish a cross-forest trust Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP authentication is not FIPS-compliant. To work around this problem, authenticate with an Active Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS mode enabled and an AD domain.
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
/var/log/httpd/error_log (7.41 KB, text/plain)
2021-02-11 15:42 UTC, Sergey Orlov
no flags Details
/var/log/samba/log.smbd (3.08 KB, text/plain)
2021-02-11 15:42 UTC, Sergey Orlov
no flags Details
network traffic for first attempt to run CreateLocalSideOfTrustRelationship (5.24 KB, application/vnd.tcpdump.pcap)
2021-02-11 15:44 UTC, Sergey Orlov
no flags Details
network traffic for second attempt to run CreateLocalSideOfTrustRelationship (3.58 KB, application/vnd.tcpdump.pcap)
2021-02-11 15:44 UTC, Sergey Orlov
no flags Details
/var/log/samba (8.72 KB, application/gzip)
2021-02-11 16:05 UTC, Sergey Orlov
no flags Details
network traffic for CreateLocalSideOfTrustRelationship without FIPS (9.84 KB, application/vnd.tcpdump.pcap)
2021-02-11 16:25 UTC, Sergey Orlov
no flags Details
logs with rc4 disabled on Windows side (199.89 KB, application/gzip)
2021-02-12 15:02 UTC, Sergey Orlov
no flags Details

Description Sergey Orlov 2021-02-03 13:40:52 UTC
Description of problem:
When trying to establish trust with AD domain with IPA in FIPS mode creation of Windows side of trust fails with "Access denied"

Version-Release number of selected component (if applicable):

ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Execute test suite: freeipa/ipatests/test_integration/test_trust.py
2. Look at results of test case "test_establish_forest_trust_with_shared_secret"

Actual results:
transport.py               513 DEBUG    RUN ['powershell', '-c', '[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().CreateLocalSideOfTrustRelationship("testrelm.test", 1, "qwertyuiopQq!1")']
transport.py               558 DEBUG    bash: line 2: /home/Administrator/env.sh: No such file or directory
transport.py               558 DEBUG    Exception calling "CreateLocalSideOfTrustRelationship" with "3" argument(s): "Access is denied.
transport.py               558 DEBUG    "
transport.py               558 DEBUG    At line:1 char:1
transport.py               558 DEBUG    + [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest() ...
transport.py               558 DEBUG    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
transport.py               558 DEBUG        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
transport.py               558 DEBUG        + FullyQualifiedErrorId : UnauthorizedAccessException
transport.py               558 DEBUG     
transport.py               214 ERROR    Exit code: 1



Additional info:
The test succeeds in non-FIPS mode in otherwise equivalent environment.

Comment 1 Alexander Bokovoy 2021-02-09 09:59:12 UTC
Please collect Samba debug logs and network traces between IPA and AD DCs during this test run. All traffic, both TCP and UDP.

Comment 2 Sergey Orlov 2021-02-11 15:40:42 UTC
With "log level = 10" in /usr/share/ipa/smb.conf.empty no lines are added to /var/log/httpd/error_log during execution of CreateLocalSideOfTrustRelationship

In attached log the last message is dated "16:10:30" while command was executed around 16:24
I also attach two trafic logs for two sequental attempts to execute CreateLocalSideOfTrustRelationship

master1.testrelm.test is 192.168.121.73
ad1.ad.test is 192.168.121.165

Comment 3 Sergey Orlov 2021-02-11 15:42:09 UTC
Created attachment 1756396 [details]
/var/log/httpd/error_log

Comment 4 Sergey Orlov 2021-02-11 15:42:52 UTC
Created attachment 1756397 [details]
/var/log/samba/log.smbd

Comment 5 Sergey Orlov 2021-02-11 15:44:05 UTC
Created attachment 1756398 [details]
network traffic for first attempt to run CreateLocalSideOfTrustRelationship

Comment 6 Sergey Orlov 2021-02-11 15:44:30 UTC
Created attachment 1756399 [details]
network traffic for second attempt to run CreateLocalSideOfTrustRelationship

Comment 7 Sergey Orlov 2021-02-11 16:05:23 UTC
Created attachment 1756400 [details]
/var/log/samba

Samba logs collected with "net conf setparm global loglevel 10"

Comment 8 Sergey Orlov 2021-02-11 16:19:23 UTC
I have tried to establish trust using Windows GUI as explained in https://freeipa.readthedocs.io/en/latest/designs/adtrust/oneway-trust-with-shared-secret.html

In step "Choose ‘Forest trust’ on the Trust Type page" it presents another dialog: "To create this trust relationship you must supply user credentials for the specified domain"

Comment 9 Sergey Orlov 2021-02-11 16:25:21 UTC
Created attachment 1756403 [details]
network traffic for CreateLocalSideOfTrustRelationship without FIPS

Comment 10 Sergey Orlov 2021-02-11 16:27:18 UTC
Without FIPS both variants works.
I have provided network traffic capture for establishing trust using PowerShell.

Comment 11 Alexander Bokovoy 2021-02-12 10:01:02 UTC
So, according to the network traffic for non-FIPS mode, AD DC attempts to auth to IPA DC with NTLMSSP. That's blocked in FIPS mode because RC4 (NTLM hash) is not allowed in FIPS mode, so that should be expected. 

The difference: in case of non-FIPS we respond with with STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE which leads to eventual STATUS_LOGON_FAILURE and then use of a different method. In FIPS mode we don't do that and AD DC never goes further with a different method.

Comment 12 Sergey Orlov 2021-02-12 15:02:09 UTC
Created attachment 1756632 [details]
logs with rc4 disabled on Windows side

Comment 13 Alexander Bokovoy 2021-02-16 08:46:11 UTC
This warrant more investigation which may prove it would be not possible to use a shared secret trust in FIPS mode.
I added a documentation note for RHEL 8.4.

Comment 14 Florence Blanc-Renaud 2021-02-16 09:47:39 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8715

Comment 17 Sergey Orlov 2021-02-19 15:25:55 UTC
Tests for trust with shared secret should be skipped in FIPS mode: https://bugzilla.redhat.com/show_bug.cgi?id=1930796


Note You need to log in before you can comment on or make changes to this bug.