RHEL 7.3 FIPS and CIFS mount

Latest response

I was building a hardened RHEL 7.3 image and applied FIPS. This resulted in several problems, the first was associated with gpg and Red Hat provided a fix see discussion RHEL 7.3 gpg error or Case 01784863.

The second problem was creating a cifs mount to a Microsoft Windows Share. I was informed that this was not related to "gpg", that this was a "kernel crypto" related problem..

I am unsure of how to approach this, at this time.

The attached image shows the output.

TIA for any assistance
Scott M.

Responses

Not sure if my image uploaded, so the error is: [ 2608.112263] CIFS VFS: could not allocate crypto hmacmd5 [ 2608.112317] CIFS VFS: could not crypto alloc hmacmd5 rc -2 [ 2608.112359] CIFS VFS: Error -2 during NTLMSSP authenication

The problem persists after resolving the fips issues, created a support case for it. Case # 01826923: cifs mount failed with fips configured.

Were you able to get CIFS share mounted with FIPS turned on? Is there a solution for this? I opened a case with RH and they are telling me the solution is to disable FIPS, which is unacceptable.

All interested in FIPS, I've submitted a case (that will probably be a quite a bear) for Red Hat saying for the 29 CAT I issues in the current STIG need to be able to be implemented. We're told (by my customer) that we are not allowed to dismiss or "POAM" a CAT I issue and must fix them. Example, Samba, gluster, Satellite server (to name a few) which can not run with FIPS.

One of the replies I received in my case is that for a business model, Red Hat needs to know the customers that this would be applicable to to aid in justification. My initial reply to the case I have open is that the STIG and the fact it is a CAT I issue make the business model because those are the items of highest interest to the DoD or other government components.

Incidentally, it's a misnomer to believe that STIG only applies to the government. Now certainly, they must abide by it by mandate, but there are plenty of other entities (banks, and others I'm told by reliable sources) that do use the STIG.

So all of this being said those items that are truly CAT I findings that reportedly can't be fixed should be really brought to the attention of Red Hat in a case. Do I expect this to happen from every customer or even 50% of the customers or even 25% of the customers that really do abide/use the STIG (whether by interest or mandate)?? my answer to this question is "no" I don't expect much reply. That being said, I would believe that any CAT I issue really ought to be a priority for Red Hat since it is of interest to many of their customer base, even if their customer base doesn't report in with a "me too" ticket.

So... All of this is in hopes that some others might open cases with Red Hat for those CAT I (or other category STIG items) and let them know their interest. Holding my breath??

Regards,

RJ

A slightly different focus, a discussion for just the CAT I items that are currently not able to be resolved with specific server roles. Example (not limited to this example), Satellite, Gluster, Samba servers can not endure FIPS being active. For anyone interested in CAT I items (the most severe of a given STIG) being resolved, please see this thread https://access.redhat.com/discussions/3508811

Red Hat informed me today that the following CLOSED bug says FIPS support has been fixed in the latest Samba:

"Bug 1436342 - Bump samba version, required for FIPS mode and privilege separation" https://bugzilla.redhat.com/show_bug.cgi?id=1436342

I'm pretty sure you'd have to update the system and not stay at RHEL 7.3

Regards, RJ

"I'm pretty sure you'd have to update the system and not stay at RHEL 7.3"
Very good advice from you RJ - and not only for this (FIPS/Samba) reason.

Cheers :)
Chistian

Here's how I solved this.

Mount CIFS shares on FIPS compliant RedHat Make sure kerberos package installed

yum install krb5-workstation Use ktutil to create a kerberos keytab file

ktutil

addent -password -p username@DOMAIN.COM -k 1 -e RC4-HMAC - enter password for username - wkt username.keytab q Merge keytab into default keytab file /etc/krb5.keytab

ktutil rkt /etc/krb5.keytab

kinit username@DOMAIN.COM -k -t /home/username/username.keytab

Add entry to /etc/fstab

//cifs-server/Share$/share /mount-point cifs _netdev,username=username@DOMAIN.COM,sec=krb5,dir_mode=0755,file_mode=0755,uid=username,gid=username 0 0

Here's how I solved this.

Mount CIFS shares on FIPS compliant RedHat Make sure kerberos package installed

yum install krb5-workstation Use ktutil to create a kerberos keytab file

ktutil

addent -password -p username@DOMAIN.COM -k 1 -e RC4-HMAC - enter password for username - wkt username.keytab q Merge keytab into default keytab file /etc/krb5.keytab

ktutil rkt /etc/krb5.keytab

kinit username@DOMAIN.COM -k -t /home/username/username.keytab

Add entry to /etc/fstab

//cifs-server/Share$/share /mount-point cifs _netdev,username=username@DOMAIN.COM,sec=krb5,dir_mode=0755,file_mode=0755,uid=username,gid=username 0 0

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.