What were you trying to do that didn't work?

With samba-4.21.3-3 and FIPS enabled, joining to AD fails.

Executed command:

kinit -k -t samba.keytab samba
net ads join --debuglevel=10 --no-dns-updates --kerberos createcomputer="Build OU/Linux"

It fails with the following error:

Failed to join domain: failed to connect to AD: An invalid parameter was passed to a service or function.

Workarounds:

• Temporary disabling FIPS results in working AD joins.
• Downgrading to samba-4.20.2-2 results on working AD joins.

Additional info:

Tested with different crypto policies, behavior is the same (FIPS, FIPS:AD-SUPPORT, FIPS:AD-SUPPORT:SHA1, FIPS:AD-SUPPORT-LEGACY)

What is the impact of this issue to you?

RHEL systems running samba-4.21.3-3 with FIPS enabled are failing to join AD domain.

Please provide the package NVR for which the bug is seen:

samba-4.21.3-3

How reproducible is this bug?:

Steps to reproduce

1. Enable FIPS
2. Install Samba/Winbind packages
3. Attempt to join AD domain.

Expected results

Successful join to the domain.

Actual results

Join process is failing with the following error:

Failed to join domain: failed to connect to AD: An invalid parameter was passed to a service or function.