67 lines
2.8 KiB
Diff
67 lines
2.8 KiB
Diff
|
From 09481117b58f1a237bb1048d3fe8d44caf9e167f Mon Sep 17 00:00:00 2001
|
||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|
Date: Fri, 25 Mar 2022 09:51:08 +0200
|
||
|
Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active in more cases
|
||
|
|
||
|
Continuation of the commit 2eee5931d714ca237290be7dc2fb7233ce747eca:
|
||
|
|
||
|
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
|
||
|
mode. This is required in FIPS mode due to AD not supporting Kerberos
|
||
|
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
|
||
|
defined in RFC 8009.
|
||
|
|
||
|
Fixes: https://pagure.io/freeipa/issue/9119
|
||
|
|
||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||
|
---
|
||
|
ipatests/pytest_ipa/integration/fips.py | 2 +-
|
||
|
ipatests/pytest_ipa/integration/tasks.py | 6 ++++++
|
||
|
2 files changed, 7 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
|
||
|
index b33aa91b14552d6f47191c913db4f974a5a5948c..5c281e5e253bfc3e3c227172c99bf2fe8578cc11 100644
|
||
|
--- a/ipatests/pytest_ipa/integration/fips.py
|
||
|
+++ b/ipatests/pytest_ipa/integration/fips.py
|
||
|
@@ -72,5 +72,5 @@ def disable_userspace_fips(host):
|
||
|
|
||
|
def enable_crypto_subpolicy(host, subpolicy):
|
||
|
result = host.run_command(["update-crypto-policies", "--show"])
|
||
|
- policy = result.stdin_text.strip() + ":" + subpolicy
|
||
|
+ policy = result.stdout_text.strip() + ":" + subpolicy
|
||
|
host.run_command(["update-crypto-policies", "--set", policy])
|
||
|
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||
|
index 1119f55efe639aff409c4b17a04943f280869419..8a1b5d383db1b09a5dc3cab7ee58ceb071e4fbc2 100755
|
||
|
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||
|
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||
|
@@ -499,6 +499,8 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
|
||
|
if setup_adtrust:
|
||
|
args.append('--setup-adtrust')
|
||
|
fw_services.append("freeipa-trust")
|
||
|
+ if is_fips_enabled(replica):
|
||
|
+ enable_crypto_subpolicy(replica, "AD-SUPPORT")
|
||
|
if master_authoritative_for_client_domain(master, replica):
|
||
|
args.extend(['--ip-address', replica.ip])
|
||
|
|
||
|
@@ -568,6 +570,8 @@ def install_client(master, client, extra_args=[], user=None,
|
||
|
|
||
|
args.extend(extra_args)
|
||
|
|
||
|
+ if is_fips_enabled(client) and 'ad' in master:
|
||
|
+ enable_crypto_subpolicy(client, "AD-SUPPORT")
|
||
|
result = client.run_command(args, stdin_text=stdin_text)
|
||
|
|
||
|
setup_sssd_conf(client)
|
||
|
@@ -582,6 +586,8 @@ def install_adtrust(host):
|
||
|
Configures the compat tree for the legacy clients.
|
||
|
"""
|
||
|
kinit_admin(host)
|
||
|
+ if is_fips_enabled(host):
|
||
|
+ enable_crypto_subpolicy(host, "AD-SUPPORT")
|
||
|
host.run_command(['ipa-adtrust-install', '-U',
|
||
|
'--enable-compat',
|
||
|
'--netbios-name', host.netbios,
|
||
|
--
|
||
|
2.34.1
|
||
|
|