Ty zang via FreeIPA-users wrote: > Hello all > I have a FIPS-140 RHEL 9.5 vm that I installed FreeIPA v4.12 onto and started > configuring it. I am working with the DoD DISA STIGs to harden the system > which is ultimately the root cause to my problems, specifically I suspect > /etc/crypto-policies/backends files. > > When I try to add an external trust to my AD server, it fails to add it > saying CIFS server communication errors. What “fixes” that is to run > update-crypto-policies DEFAULT:AD-LEGACY, which after a reboot, breaks my > FIPS but lets me add the domain controller trust. > > The problem is, now I cannot authenticate with my AD accounts to the client > RHEL machines. The error I see in /var/log/secure is “KDC does not support > the encryption type”. So I have a few questions: > 1) Are there known issues between FreeIPA 4.12 / FIPS / RHEL9? > 2) Has anyone run into a situation where they were unable to set up a > trust with AD when FIPS is enabled? > 3) Any hints on where I can find what algorithms AD is expecting and could > I maybe configure sssd to use those without setting DEFAULT: away from FIPS > to AD-LEGACY or something else like that? > > Thanks a head of time for the information. >
See https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/installing_trust_between_idm_and_ad/index#ad-administration-rights_installing-trust-between-idm-and-ad rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
