freeipa team mailing list archive

[ChristianEhrhardt <1746947@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Hi,
I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case.
Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

It essentially does this and fails:
$ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests

Containers:
Bionic-as-is: installs ok
Bionic-Proposed: installs ok

In LP Infra:
dpkg: error processing package freeipa-client (--configure):
 installed freeipa-client package post-installation script subprocess returned error exit status 1

Use Pinning to get the autopkgtest style:
# cat /etc/apt/preferences.d/nssonlyproposed
Package: *
Pin: release a=bionic
Pin-Priority: 1001
Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
Pin: release a=bionic-proposed
Pin-Priority: 1002
Bionic-nss-only-from-Proposed: TRIGGERS the issue

freeipa-client is in the postinst calling this:
python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb
    create_ipa_nssdb()
  File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb
    db.create_db(pwdfile)
  File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db
    self.run_certutil(["-N", "-f", password_filename])
  File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil
    return ipautil.run(new_args, stdin, **kwargs)
  File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))
subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255


That is - if called alone complaining about the passwd:
# /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
Invalid password.
certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.


Note that there is a related freeipa fix in later versions:
   freeipa (4.6.2-4) unstable; urgency=medium                                       
                                                                                    
     * client.postinst: Migrate from old nssdb only if it exists.

And since that change freeipa has:
if [ -f /etc/ipa/nssdb/cert8.db ]; then
around the call.

It also changed the import slightly - now the python being:

python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
update_ipa_nssdb()'

That in the "all-proposed" case with the cert8.db file copied over is still failing but differently:
/usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

The merge of nss was a minor bump 3.34->3.35
Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there.

I don't fully understand it yet - so filing this bug for a discussion.
I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on.

Do we have to:
- rebuild freeipa against newer nss?
- just mark something as bad test
- something completely else?

** Affects: freeipa (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  New

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case.
  Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb
      create_ipa_nssdb()
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb
      db.create_db(pwdfile)
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db
      self.run_certutil(["-N", "-f", password_filename])
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil
      return ipautil.run(new_args, stdin, **kwargs)
    File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run
      raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.

  
  Note that there is a related freeipa fix in later versions:
     freeipa (4.6.2-4) unstable; urgency=medium                                       
                                                                                      
       * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
  update_ipa_nssdb()'

  That in the "all-proposed" case with the cert8.db file copied over is still failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on.

  Do we have to:
  - rebuild freeipa against newer nss?
  - just mark something as bad test
  - something completely else?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions