Hello all I have a FIPS-140 RHEL 9.5 vm that I installed FreeIPA v4.12 onto and started configuring it. I am working with the DoD DISA STIGs to harden the system which is ultimately the root cause to my problems, specifically I suspect /etc/crypto-policies/backends files.
When I try to add an external trust to my AD server, it fails to add it saying CIFS server communication errors. What “fixes” that is to run update-crypto-policies DEFAULT:AD-LEGACY, which after a reboot, breaks my FIPS but lets me add the domain controller trust. The problem is, now I cannot authenticate with my AD accounts to the client RHEL machines. The error I see in /var/log/secure is “KDC does not support the encryption type”. So I have a few questions: 1) Are there known issues between FreeIPA 4.12 / FIPS / RHEL9? 2) Has anyone run into a situation where they were unable to set up a trust with AD when FIPS is enabled? 3) Any hints on where I can find what algorithms AD is expecting and could I maybe configure sssd to use those without setting DEFAULT: away from FIPS to AD-LEGACY or something else like that? Thanks a head of time for the information. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
