freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #00529
[Bug 1746947] Re: failing autopkgtest due to password issue by nss
For a better overview and to make a decision (as a +really version always sucks to some extend) I did some tests:
- built nss 3.34 with the freebl3 change in ppa [1] as 2:3.35-2ubuntu1+really3.34-1ubuntu2
- set up some containers to test
- ran the sequence of installs/commands that freeipa tests would do
I did so in different combinations:
1. freeipa 4.4.4 + nss 3.34-1ubuntu1 (as bionic is)
2. freeipa 4.6.3 + nss 3.35-1ubuntu1 (full bionic proposed)
3. freeipa 4.4.4 + nss 3.35-1ubuntu1 (as tested by autopkgtest by pinning)
4. freeipa 4.4.4 + nss 3.35-2ubuntu1+really3.34-1ubuntu2 (ppa)
5. freeipa 4.6.3 + nss 3.35-2ubuntu1+really3.34-1ubuntu2 (proposed + ppa)
I tested:
- the install that fails in the autopkgtest
$ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common
freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib
python-ipaserver python-ipatests
- the python call that fails (old & new form of it as it needs an additional import in 4.6.2)
python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()'
#1 install #2 old python #3 new python
1. ok ok fail (4.4 has only old import)
2. ok (skip) fail (4.6 need new import) ok
3. fail fail (nss format) fail (4.4 has only old import)
4. ok ok fail (4.4 has only old import)
5. ok (skip) fail (4.6 need new import) ok
So an nss upload should work as planned with both verserions:
- freeipa 4.4 (case 4. #2)
- freeipa 4.6 (case 5. #3)
- and both cases would install (4./5. #1).
Due to the hint by Timo (thanks) I found [1] which explains a bit what is going on.
That is a nice change to be made in nss, but not unplanned and unprepared.
Some consuming packages need to be adapted first, and that was not what I intended by picking a new minor version. So that as well points to an upload reverting the move to 3.35.
Get me right - the move to 3.35 and the new file format should be done
at some point, but not now unplanned (it accidentally slipped in by the
merge) - so I'm uploading 2:3.35-2ubuntu1+really3.34-1ubuntu2 to un-
break it for now.
[1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1746947
Title:
failing autopkgtest due to password issue by nss
Status in freeipa package in Ubuntu:
New
Status in nss package in Ubuntu:
Triaged
Bug description:
Hi,
I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case.
Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz
It essentially does this and fails:
$ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests
Containers:
Bionic-as-is: installs ok
Bionic-Proposed: installs ok
In LP Infra:
dpkg: error processing package freeipa-client (--configure):
installed freeipa-client package post-installation script subprocess returned error exit status 1
Use Pinning to get the autopkgtest style:
# cat /etc/apt/preferences.d/nssonlyproposed
Package: *
Pin: release a=bionic
Pin-Priority: 1001
Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
Pin: release a=bionic-proposed
Pin-Priority: 1002
Bionic-nss-only-from-Proposed: TRIGGERS the issue
freeipa-client is in the postinst calling this:
python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb
create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb
db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db
self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil
return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255
That is - if called alone complaining about the passwd:
# /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
Invalid password.
certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
Note that there is a related freeipa fix in later versions:
freeipa (4.6.2-4) unstable; urgency=medium
* client.postinst: Migrate from old nssdb only if it exists.
And since that change freeipa has:
if [ -f /etc/ipa/nssdb/cert8.db ]; then
around the call.
It also changed the import slightly - now the python being:
python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
update_ipa_nssdb()'
That in the "all-proposed" case with the cert8.db file copied over is still failing but differently:
/usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
The merge of nss was a minor bump 3.34->3.35
Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there.
I don't fully understand it yet - so filing this bug for a discussion.
I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on.
Do we have to:
- rebuild freeipa against newer nss?
- just mark something as bad test
- something completely else?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions
References
