Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4847

Establishing trust with AD domain using shared secret fails in FIPS mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-8.4.0
    • ipa
    • sst_idm_ipa
    • ssg_idm
    • False
    • Hide

      None

      Show
      None
    • Known Issue
    • Hide
      .FIPS mode does not support using a shared secret to establish a cross-forest trust

      Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP authentication is not FIPS-compliant. To work around this problem, authenticate with an Active Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS mode enabled and an AD domain.
      Show
      .FIPS mode does not support using a shared secret to establish a cross-forest trust Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP authentication is not FIPS-compliant. To work around this problem, authenticate with an Active Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS mode enabled and an AD domain.
    • Done

      Description of problem:
      When trying to establish trust with AD domain with IPA in FIPS mode creation of Windows side of trust fails with "Access denied"

      Version-Release number of selected component (if applicable):

      ipa-server-4.9.1-1.module+el8.4.0+9665+c9815399.x86_64

      How reproducible:
      Always

      Steps to Reproduce:
      1. Execute test suite: freeipa/ipatests/test_integration/test_trust.py
      2. Look at results of test case "test_establish_forest_trust_with_shared_secret"

      Actual results:
      transport.py 513 DEBUG RUN ['powershell', '-c', '[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().CreateLocalSideOfTrustRelationship("testrelm.test", 1, "qwertyuiopQq!1")']
      transport.py 558 DEBUG bash: line 2: /home/Administrator/env.sh: No such file or directory
      transport.py 558 DEBUG Exception calling "CreateLocalSideOfTrustRelationship" with "3" argument(s): "Access is denied.
      transport.py 558 DEBUG "
      transport.py 558 DEBUG At line:1 char:1
      transport.py 558 DEBUG + [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest() ...
      transport.py 558 DEBUG + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      transport.py 558 DEBUG + CategoryInfo : NotSpecified: ( [], MethodInvocationException
      transport.py 558 DEBUG + FullyQualifiedErrorId : UnauthorizedAccessException
      transport.py 558 DEBUG
      transport.py 214 ERROR Exit code: 1

      Additional info:
      The test succeeds in non-FIPS mode in otherwise equivalent environment.

            ftrivino@redhat.com Francisco Trivino Garcia
            sorlov@redhat.com Sergey Orlov (Inactive)
            Francisco Trivino Garcia Francisco Trivino Garcia
            IPA QE Bot IPA QE Bot
            Louise McGarry Louise McGarry
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: