# Fails in MIT build because MIT Kerberos in FIPS mode
# do not allow the key derivation functions used by aes256-cts-hmac-sha1-96
# and aes128-ctx-hmac-sha1-96. The ad_dc_fips env. runs heimdal build.
# Can't use a knownfail file bacuse the environment can't even be
# provisioned.
#
# From https://bugzilla.redhat.com/show_bug.cgi?id=2053135:
# This is because OpenSSL's "legacy" provider[1] is not available by default in this mode.
# Hence MD4[2] and MD5[3] hashing is impossible, and disabling FIPS properties similarly
# to the solution mentioned in bug 2039684, will not work here.
# A solution would be to fetch the hashing algorithm from an OpenSSL local context provider
# following this example[4], instead of fetching it from the global provider[5].
# [1] https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-legacy.html
# [2] https://www.openssl.org/docs/man3.0/man3/EVP_md4.html
# [3] https://www.openssl.org/docs/man3.0/man3/EVP_md5.html
# [4] https://github.com/cyrusimap/cyrus-sasl/pull/668/files#diff-19656c308089249f956b708a5037d00e771478b6d1db3bce17425d93c46d1ee1R1136
# [5] https://github.com/krb5/krb5/blob/krb5-1.19.2-final/src/lib/crypto/openssl/hash_provider/hash_evp.c#L67
#
# Passes in the ad_dc_fips env because it runs the heimdal build
^samba.tests.dcerpc.lsa_utils.samba.tests.dcerpc.lsa_utils.CreateTrustedDomain.test.*\(ad_dc\)
