Hide Forgot
Description of problem: Even after applying "update-crypto-policies --set FIPS:AD-SUPPORT", the ipa trust-add fails with the Error: "Insufficient access in FIPS mode." Version-Release number of selected component (if applicable): ipa-server-4.9.10-5.module+el8.7.0+16195+c459c321.x86_64 ipa-server-dns-4.9.10-5.module+el8.7.0+16195+c459c321.noarch ipa-server-trust-ad-4.9.10-5.module+el8.7.0+16195+c459c321.x86_64 sssd-ipa-2.7.3-2.el8.x86_64 How reproducible: 100% console output: 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] Setting system policy to FIPS:AD-SUPPORT 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] Note: System-wide crypto policies are applied on application start-up. 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] It is recommended to restart the system for the change of policies 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] to fully take place. Running 'echo <xxxxxxxx> | ipa trust-add win2012r2-fl8g.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True' 2022-08-22T18:17:01+0000 [ip-10-0-203-230.rhos] *** Current Time: Mon Aug 22 14:17:00 2022 Localwatchdog at: Tue Aug 23 13:31:00 2022 2022-08-22T18:17:08+0000 [ip-10-0-203-147.rhos] *** Current Time: Mon Aug 22 14:17:07 2022 Localwatchdog at: Tue Aug 23 13:31:06 2022 2022-08-22T18:17:32+0000 [ip-10-0-203-230.rhos] ipa: ERROR: Insufficient access: IPA master denied trust validation requests from AD DC 10 times. Most likely AD DC contacted a replica that has no trust information replicated yet. Additionally, please check that AD DNS is able to resolve _ldap._tcp.atmt2k12r2.test, _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.atmt2k12r2.test SRV records to the correct IPA server. Additional information: sssd.log (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x4000): [RID#1] Trying to add idmap for domain [S-1-5-21-2745230106-1393044594-1451765025]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sss_domain_get_state] (0x1000): [RID#1] Domain atmt2k12r2.test is Active (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x0040): [RID#1] find_domain_by_sid failed with SID [S-1-5-21-2745230106-1393044594-1451765025]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_get_ranges_from_sysdb] (0x0040): [RID#1] ipa_idmap_check_posix_child failed. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): [RID#1] Could not add new domain for sid [S-1-5-21-2745230106-1393044594-1451765025] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_subdom_store] (0x0400): [RID#1] Domain mpg mode for win2012r2-fl8g.test: false (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ldb] (0x10000): [RID#1] Added timed event "ldb_kv_callback": 0x564d23962a80
Hi, > ipa: ERROR: Insufficient access: IPA master denied trust validation requests from AD DC 10 times. Why did you change component to 'sssd'?
Alexey, we see SSSD logs a message which wasn't there in previous versions and we want you to analyze why this happens: (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x4000): [RID#1] Trying to add idmap for domain [S-1-5-21-2745230106-1393044594-1451765025]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sss_domain_get_state] (0x1000): [RID#1] Domain atmt2k12r2.test is Active (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x0040): [RID#1] find_domain_by_sid failed with SID [S-1-5-21-2745230106-1393044594-1451765025]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_get_ranges_from_sysdb] (0x0040): [RID#1] ipa_idmap_check_posix_child failed. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): [RID#1] Could not add new domain for sid [S-1-5-21-2745230106-1393044594-1451765025] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_subdom_store] (0x0400): [RID#1] Domain mpg mode for win2012r2-fl8g.test: false (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ldb] (0x10000): [RID#1] Added timed event "ldb_kv_callback": 0x564d23962a80 We never seen this before.
SID "S-1-5-21-2745230106-1393044594-1451765025" in unknown to SSSD at this point. Is this a SID of a child domain? Sumit, could you please take a look?
Hi, the behavior of SSSD is expected because there are no id-ranges for the trusted AD forest created, maybe due to the validation error. If you grep the logs for 'RID#1' you can see the whole 'Subdomains' requests which read various data from the IPA server about trusted domains and other centrally managed configuration. First the id-ranges are read (I filtered out [ldb] messages: (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_search_bases_ex_next_base] (0x0400): [RID#1] Issuing LDAP lookup with base [cn=ranges,cn=etc,dc=atmt2k12r2,dc=test] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_print_server] (0x2000): [RID#1] Searching 10.0.203.230:389 (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x0400): [RID#1] calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=atmt2k12r2,dc=test]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [objectClass] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [cn] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaBaseID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaBaseRID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaSecondaryBaseRID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaIDRangeSize] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaNTTrustedDomainSID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaRangeType] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x1000): [RID#1] Requesting attrs: [ipaAutoPrivateGroups] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_ext_step] (0x2000): [RID#1] ldap_search_ext called, msgid = 6 (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_op_add] (0x2000): [RID#1] New operation 6 timeout 6 (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_process_message] (0x4000): [RID#1] Message type: [LDAP_RES_SEARCH_ENTRY] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_call_op_callback] (0x20000): [RID#1] Handling LDAP operation [6][server: [10.0.203.230:389] filter: [objectclass=ipaIDRange] base: [cn=ranges,cn=etc,dc=atmt2k12r2,dc=test]] took [26.926] milliseconds. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_entry] (0x1000): [RID#1] OriginalDN: [cn=ATMT2K12R2.TEST_id_range,cn=ranges,cn=etc,dc=atmt2k12r2,dc=test]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [objectClass] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [cn] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaBaseID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaBaseRID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaSecondaryBaseRID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaIDRangeSize] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaRangeType] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_process_message] (0x4000): [RID#1] Message type: [LDAP_RES_SEARCH_ENTRY] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_entry] (0x1000): [RID#1] OriginalDN: [cn=ATMT2K12R2.TEST_subid_range,cn=ranges,cn=etc,dc=atmt2k12r2,dc=test]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [objectClass] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [cn] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaBaseID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaBaseRID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaIDRangeSize] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaNTTrustedDomainSID] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_parse_range] (0x2000): [RID#1] No sub-attributes for [ipaRangeType] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_process_message] (0x4000): [RID#1] Message type: [LDAP_RES_SEARCH_RESULT] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_get_generic_op_finished] (0x0400): [RID#1] Search result: Success(0), no errmsg set (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_op_destructor] (0x2000): [RID#1] Operation 6 finished (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_search_bases_ex_done] (0x0400): [RID#1] Receiving data from base [cn=ranges,cn=etc,dc=atmt2k12r2,dc=test] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sysdb_update_ranges] (0x0400): [RID#1] Adding range [ATMT2K12R2.TEST_id_range]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sysdb_update_ranges] (0x0400): [RID#1] Adding range [ATMT2K12R2.TEST_subid_range]. Only the id-range and subid-range of the IPA domain are found. Later on when reading the trusted domains the trusted AD domain is found but since there is no id-range for the domain it cannot be added properly which is shown in the log snippet from the Description. HTH bye, Sumit