#9427 RHEL 8.8 & 9.2 fails to create AD trust with STIG applied
Closed: fixed 10 months ago by frenaud. Opened 10 months ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 2216532

Created attachment 1971942
log files

Description of problem:
  RHEL 8.8 & 9.2 fails to create AD trust with STIG applied.


Version-Release number of selected component (if applicable):
  RHEL 8.8 and 9.2

How reproducible:
  consistent

Steps to Reproduce:
1. Install OS with DISA STIG security profile
2. Install IdM
3. Create trust
3a. ipa trust-add --type=ad <ad domain>

Actual results:
body: b'{"result": null, "error": {"code": 4016, "message": "CIFS server communication error: code \\"3221225581\\", message \\"The attempted logon is invalid. This is either due to a bad username or authentication information.\\" (both may be \\"None\\")", "data": {"reason": "CIFS server communication error: code \\"3221225581\\", message \\"The attempted logon is invalid. This is either due to a bad username or authentication information.\\" (both may be \\"None\\")"}, "name": "RemoteRetrieveError"}, "id": 0, "principal": "admin@LAB18.EXAMPLE.COM", "version": "4.9.11"}'
ipa: INFO: Response: {
    "error": {
        "code": 4016,
        "data": {
            "reason": "CIFS server communication error: code \"3221225581\", message \"The attempted logon is invalid. This is either due to a bad username or authentication information.\" (both may be \"None\")"
        },
        "message": "CIFS server communication error: code \"3221225581\", message \"The attempted logon is invalid. This is either due to a bad username or authentication information.\" (both may be \"None\")",
        "name": "RemoteRetrieveError"
    },
    "id": 0,
    "principal": "admin@LAB18.EXAMPLE.COM",
    "result": null,
    "version": "4.9.11"
}
ipa: ERROR: CIFS server communication error: code "3221225581", message "The attempted logon is invalid. This is either due to a bad username or authentication information." (both may be "None")

Expected results:
  Trust is created

Additional info:
DISA STIG applied during OS install and FIPS removed before IdM installation.

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2216532

10 months ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

10 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6956

10 months ago

master:

  • 7796b7b Installer: activate nss and pam services in sssd.conf

ipa-4-10:

  • 4a62a21 Installer: activate nss and pam services in sssd.conf

ipa-4-9:

  • f38eefd Installer: activate nss and pam services in sssd.conf

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

10 months ago

Metadata Update from @abbra:
- Custom field changelog adjusted to Make sure SSSD configuration enables nss and pam services in all circumstances, even when existing SSSD configuration is present during deployment. In environments hardened with a STIG profile this fixes support for a trust to Active Directory .

7 months ago

Metadata Update from @abbra:
- Custom field changelog adjusted to Make sure SSSD enables nss and pam services in all circumstances, even when existing SSSD configuration is present during deployment. In environments hardened with a STIG profile this fixes support for a trust to Active Directory . (was: Make sure SSSD configuration enables nss and pam services in all circumstances, even when existing SSSD configuration is present during deployment. In environments hardened with a STIG profile this fixes support for a trust to Active Directory .)

7 months ago

Log in to comment on this ticket.

Metadata