Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-68447

Pagure #9702: ipa trust-add fails in FIPS mode with an internal error has occurred

XMLWordPrintable

    • ipa-4.12.2-8.el10
    • No
    • Important
    • 1
    • rhel-sst-idm-ipa
    • ssg_idm
    • 16
    • 18
    • 2
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • 2024-Q4-Alpha-S5
    • Unspecified Release Note Type - Unknown
    • None 

      Cloned from: https://pagure.io/freeipa/issue/9702

### Issue
In FIPS mode, the command `ipa trust-add` fails with `an internal error has occurred`.

#### Steps to Reproduce
1. Install a machine in FIPS mode, configure ipa server
2. Execute `ipa trust-add` in one-way mode

#### Actual behavior
The command fails with `ipa: ERROR: an internal error has occurred`

/var/log/httpd/error_log:
```
to set perms (3140) on file (/run/ipa/ccaches/admin@UFREEIPA.TEST-r3n4qZ)!, referer: https://master.ufreeipa.test/ipa/xml
] ipa: ERROR: non-public: OSError: encryption failed
] Traceback (most recent call last):
]   File "/usr/lib/python3.13/site-packages/ipaserver/rpcserver.py", line 417, in wsgi_execute
]     result = command(*args, **options)
]   File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
]     return self.__do_call(*args, **options)
]            ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
]   File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
]     ret = self.run(*args, **options)
]   File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 885, in run
]     return self.execute(*args, **options)
]            ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
]   File "/usr/lib/python3.13/site-packages/ipaserver/plugins/trust.py", line 769, in execute
]     result = self.execute_ad(full_join, *keys, **options)
]   File "/usr/lib/python3.13/site-packages/ipaserver/plugins/trust.py", line 1030, in execute_ad
]     result = self.trustinstance.join_ad_full_credentials(
]         keys[-1],
]     ...<3 lines>...
]         trust_type
]     )
]   File "/usr/lib/python3.13/site-packages/ipaserver/dcerpc.py", line 1847, in join_ad_full_credentials
]     self.remote_domain.establish_trust(self.local_domain,
]     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
]                                        trustdom_pass,
]                                        ^^^^^^^^^^^^^^
]                                        trust_type,
]                                        ^^^^^^^^^^^
]                                        trust_external)
]                                        ^^^^^^^^^^^^^^^
]   File "/usr/lib/python3.13/site-packages/ipaserver/dcerpc.py", line 1397, in establish_trust
]     self.generate_auth(trustdom_secret)
]     ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
]   File "/usr/lib/python3.13/site-packages/ipaserver/dcerpc.py", line 1068, in generate_auth
]     encrypted_trustpass = arcfour_encrypt(self._pipe.session_key,
]                                           trustpass_blob)
]   File "/usr/lib64/python3.13/site-packages/samba/__init__.py", line 353, in arcfour_encrypt
]     return arcfour_crypt_blob(data, key)
] OSError: encryption failed
] ipa: INFO: [jsonserver_session] admin@UFREEIPA.TEST: trust_add/1('ad-szhf.test', trust_type='ad', realm_admin='Administrator@ad-szhf.test', realm_passwd='********', range_type='ipa-ad-trust', version='2.254'): InternalError

```

Packages:
freeipa-server-4.13.0.dev202411150939+git-0.fc41.x86_64
crypto-policies-20241029-1.git8baf557.fc41.noarch
samba-4.21.1-7.fc41.x86_64

              frenaud@redhat.com Florence Renaud
              frenaud@redhat.com Florence Renaud
              Florence Renaud Florence Renaud
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: