Issue

Description of problem: Even after applying "update-crypto-policies --set FIPS:AD-SUPPORT", the ipa trust-add fails with the Error: "Insufficient access in FIPS mode." Version-Release number of selected component (if applicable): ipa-server-4.9.10-5.module+el8.7.0+16195+c459c321.x86_64 ipa-server-dns-4.9.10-5.module+el8.7.0+16195+c459c321.noarch ipa-server-trust-ad-4.9.10-5.module+el8.7.0+16195+c459c321.x86_64 sssd-ipa-2.7.3-2.el8.x86_64 How reproducible: 100% console output: 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] Setting system policy to FIPS:AD-SUPPORT 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] Note: System-wide crypto policies are applied on application start-up. 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] It is recommended to restart the system for the change of policies 2022-08-22T18:01:03+0000 [ip-10-0-203-230.rhos] to fully take place. Running 'echo <xxxxxxxx> | ipa trust-add win2012r2-fl8g.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True' 2022-08-22T18:17:01+0000 [ip-10-0-203-230.rhos] *** Current Time: Mon Aug 22 14:17:00 2022 Localwatchdog at: Tue Aug 23 13:31:00 2022 2022-08-22T18:17:08+0000 [ip-10-0-203-147.rhos] *** Current Time: Mon Aug 22 14:17:07 2022 Localwatchdog at: Tue Aug 23 13:31:06 2022 2022-08-22T18:17:32+0000 [ip-10-0-203-230.rhos] ipa: ERROR: Insufficient access: IPA master denied trust validation requests from AD DC 10 times. Most likely AD DC contacted a replica that has no trust information replicated yet. Additionally, please check that AD DNS is able to resolve _ldap._tcp.atmt2k12r2.test, _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.atmt2k12r2.test SRV records to the correct IPA server. Additional information: sssd.log (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x4000): RID#1 Trying to add idmap for domain [S-1-5-21-2745230106-1393044594-1451765025]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sss_domain_get_state] (0x1000): RID#1 Domain atmt2k12r2.test is Active (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_check_posix_child] (0x0040): RID#1 find_domain_by_sid failed with SID [S-1-5-21-2745230106-1393044594-1451765025]. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_idmap_get_ranges_from_sysdb] (0x0040): RID#1 ipa_idmap_check_posix_child failed. (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): RID#1 Could not add new domain for sid [S-1-5-21-2745230106-1393044594-1451765025] (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ipa_subdom_store] (0x0400): RID#1 Domain mpg mode for win2012r2-fl8g.test: false (2022-08-22 14:30:17): [be[atmt2k12r2.test]] [ldb] (0x10000): RID#1 Added timed event "ldb_kv_callback": 0x564d23962a80

Release Notes

No. of Comments

Resolution

Unresolved