I've added a RHEL 9 server to my IPA domain and I am finding that 'ipa
vault-retrieve' fails intermittently.
It turns out that whenever the ipa client talks to the RHEL 9 server,
this error happens:
$ ipa vault-retrieve --service
host/myhost.example.com manager-password
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/ipalib/backend.py", line 141, in
execute
return self.Command[_name](*args, **options)
File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 471,
in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 499,
in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 1229,
in run
return self.forward(*args, **options)
File "/usr/lib/python3/dist-packages/ipaclient/plugins/vault.py",
line 1069, in forward
vault_data = self._unwrap_response(
File "/usr/lib/python3/dist-packages/ipaclient/plugins/vault.py",
line 1021, in _unwrap_response
cipher = Cipher(algo, modes.CBC(nonce), backend=default_backend())
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/ciphers/base.py",
line 97, in __init__
mode.validate_for_algorithm(algorithm)
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/ciphers/modes.py",
line 85, in _check_iv_and_key_length
_check_iv_length(self, algorithm)
File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/ciphers/modes.py",
line 69, in _check_iv_length
raise ValueError(
ValueError: Invalid IV size (16) for CBC.
ipa: ERROR: an internal error has occurred
I can reproduce this both on Debian unstable (with ipalib 4.9.8-1) and
RHEL 8. I do this by overriding the value of xmlrpc_uri in
/etc/ipa/default.conf to point to the RHEL 9 server before running 'ipa
vault-retrieve'.
If I run the command on the RHEL 9 server, it works fine. I don't have a
RHEL 9 client to test with.
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9