From 09481117b58f1a237bb1048d3fe8d44caf9e167f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 25 Mar 2022 09:51:08 +0200 Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active in more cases Continuation of the commit 2eee5931d714ca237290be7dc2fb7233ce747eca: Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS mode. This is required in FIPS mode due to AD not supporting Kerberos AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as defined in RFC 8009. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy Reviewed-By: Anuja More --- ipatests/pytest_ipa/integration/fips.py | 2 +- ipatests/pytest_ipa/integration/tasks.py | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py index b33aa91b14552d6f47191c913db4f974a5a5948c..5c281e5e253bfc3e3c227172c99bf2fe8578cc11 100644 --- a/ipatests/pytest_ipa/integration/fips.py +++ b/ipatests/pytest_ipa/integration/fips.py @@ -72,5 +72,5 @@ def disable_userspace_fips(host): def enable_crypto_subpolicy(host, subpolicy): result = host.run_command(["update-crypto-policies", "--show"]) - policy = result.stdin_text.strip() + ":" + subpolicy + policy = result.stdout_text.strip() + ":" + subpolicy host.run_command(["update-crypto-policies", "--set", policy]) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 1119f55efe639aff409c4b17a04943f280869419..8a1b5d383db1b09a5dc3cab7ee58ceb071e4fbc2 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -499,6 +499,8 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, if setup_adtrust: args.append('--setup-adtrust') fw_services.append("freeipa-trust") + if is_fips_enabled(replica): + enable_crypto_subpolicy(replica, "AD-SUPPORT") if master_authoritative_for_client_domain(master, replica): args.extend(['--ip-address', replica.ip]) @@ -568,6 +570,8 @@ def install_client(master, client, extra_args=[], user=None, args.extend(extra_args) + if is_fips_enabled(client) and 'ad' in master: + enable_crypto_subpolicy(client, "AD-SUPPORT") result = client.run_command(args, stdin_text=stdin_text) setup_sssd_conf(client) @@ -582,6 +586,8 @@ def install_adtrust(host): Configures the compat tree for the legacy clients. """ kinit_admin(host) + if is_fips_enabled(host): + enable_crypto_subpolicy(host, "AD-SUPPORT") host.run_command(['ipa-adtrust-install', '-U', '--enable-compat', '--netbios-name', host.netbios, -- 2.34.1