Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4898

ipa trust-add fails with ipa: ERROR: Insufficient access in FIPS mode

    • sst_idm_ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Known Issue
    • Hide
      .IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust

      Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.
      Show
      .IdM in FIPS mode does not support using the NTLMSSP protocol to establish a two-way cross-forest trust Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the RC4 NTLM hash that the AD domain controller uses when attempting to authenticate.
    • Done
    • None

      Description of problem:

      Even after applying "update-crypto-policies --set FIPS:AD-SUPPORT", the ipa trust-add fails with the Error: "Insufficient access in FIPS mode."

      Version-Release number of selected component (if applicable):
      ipa-server-4.9.10-5.module+el8.7.0+16195+c459c321.x86_64
      ipa-server-dns-4.9.10-5.module+el8.7.0+16195+c459c321.noarch
      ipa-server-trust-ad-4.9.10-5.module+el8.7.0+16195+c459c321.x86_64
      sssd-ipa-2.7.3-2.el8.x86_64

      How reproducible:
      100%

      console output:
      2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] Setting system policy to FIPS:AD-SUPPORT
      2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] Note: System-wide crypto policies are applied on application start-up.
      2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] It is recommended to restart the system for the change of policies
      2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] to fully take place.

      Running 'echo <xxxxxxxx> | ipa trust-add win2012r2-fl8g.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True'

      2022-08-22T18:17:01+0000 [ip-10-0-203-230.rhos] *** Current Time: Mon Aug 22 14:17:00 2022 Localwatchdog at: Tue Aug 23 13:31:00 2022
      2022-08-22T18:17:08+0000 [ip-10-0-203-147.rhos] *** Current Time: Mon Aug 22 14:17:07 2022 Localwatchdog at: Tue Aug 23 13:31:06 2022
      2022-08-22T18:17:32+0000 [ip-10-0-203-230.rhos] ipa: ERROR: Insufficient access: IPA master denied trust validation requests from AD DC 10 times. Most likely AD DC contacted a replica that has no trust information replicated yet. Additionally, please check that AD DNS is able to resolve _ldap._tcp.atmt2k12r2.test, _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.atmt2k12r2.test SRV records to the correct IPA server.

      Additional information:
      sssd.log
      (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x4000): RID#1 Trying to add idmap for domain [S-1-5-21-2745230106-1393044594-1451765025].
      (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sss_domain_get_state] (0x1000): RID#1 Domain atmt2k12r2.test is Active
      (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x0040): RID#1 find_domain_by_sid failed with SID [S-1-5-21-2745230106-1393044594-1451765025].
      (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_get_ranges_from_sysdb] (0x0040): RID#1 ipa_idmap_check_posix_child failed.
      (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): RID#1 Could not add new domain for sid [S-1-5-21-2745230106-1393044594-1451765025]
      (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_subdom_store] (0x0400): RID#1 Domain mpg mode for win2012r2-fl8g.test: false
      (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ldb] (0x10000): RID#1 Added timed event "ldb_kv_callback": 0x564d23962a80

            ftrivino@redhat.com Francisco Trivino Garcia
            mvarun@redhat.com Varun Mylaraiah
            Francisco Trivino Garcia Francisco Trivino Garcia
            IPA QE Bot IPA QE Bot
            Filip Hanzelka Filip Hanzelka
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: