@@ -111,6 +111,12 @@ sub update_password {
111111 # Restore the password with --add-samba-data as requested by poo#91950
112112 script_retry(" adcli update --verbose --computer-password-lifetime=0 --domain '$AD_domain ' --add-samba-data" retry => 3, delay => 60, fail_message => " Error re-adding password with samba data"
113113
114+ # wbinfo -t gives "failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR" in FIPS mode, see bsc#1249042
115+ if (get_var(' FIPS_ENABLED'
116+ record_soft_failure(" bsc#1249042 - winbind issue in FIPS mode"
117+ return ;
118+ }
119+
114120 # Check the trust secret for the domain
115121 if (script_run(" wbinfo -tP"
116122 my $output = script_output(' wbinfo -tP' proceed_on_failure => 1);
@@ -142,12 +148,6 @@ sub run {
142148 record_info(" Not available" " this test run is not available for SLES version older than 12-SP3."
143149 return ;
144150 }
145- # when run in FIPS mode, bail out on < 15-SP6 due to lack of proper support for crypto-policies
146- # https://jira.suse.com/browse/PED-12018
147- if (get_var(' FIPS_ENABLED' ' <15-SP6'
148- record_info(' TEST SKIPPED' ' missing crypto-policies support for legacy AD auth'
149- return ;
150- }
151151 select_serial_terminal;
152152
153153 # Ensure the required variables are set
@@ -162,6 +162,17 @@ sub run {
162162
163163 $NetworkManager = 1 if is_networkmanager;
164164 samba_sssd_install();
165+
166+ # when in FIPS mode, we need to set the correct crypto policy
167+ # bail out if the system is too old to support AD in FIPS mode
168+ if (get_var(' FIPS_ENABLED'
169+ if (is_sle(' <15-SP6'
170+ record_info(' TEST SKIPPED' ' missing crypto-policies support for legacy AD auth'
171+ return 0;
172+ }
173+ assert_script_run ' update-crypto-policies --set FIPS:AD-SUPPORT'
174+ }
175+
165176 randomize_hostname(); # Prevent race condition with parallel test runs
166177 disable_ipv6(); # AD host is not reachable via IPv6 on some of our workers
167178 join_domain();
0 commit comments