What were you trying to do that didn't work?

Use vault functionality from an IPA client running in non-FIPS mode when the server is running is running in FIPS mode

Please provide the package NVR for which bug is seen:

ipa-client-4.11.0-8.el9.x86_64

How reproducible:

Always

Steps to reproduce

1. Install a RHEL 9.4 server in FIPS mode with a KRA: ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 --setup-kra -U
2. Install a RHEL 9.4 client in non-FIPS mode: ipa-client-install --domain ipa.test --realm IPA.TEST --principal admin --password Secret123 --server server.ipa.test -U
3. Create a vault from the client: ipa vault-add clientvault --type standard

Expected results

The vault should be created successfully

Actual results

# ipa vault-add clientvault --type standard
ipa: ERROR: Unable to archive key: Unable to decrypt passphrase: Failed to unwrap key: (-8190) security library: received bad data.

All the vault commands fail on the client. A vault created on the server cannot be retrieved on the client:

# ipa vault-retrieve standardvault
ipa: ERROR: Unable to retrieve key: Cannot encrypt passphrase: org.mozilla.jss.crypto.TokenException: Failed to unwrap key: (-8190) security library: received bad data.