← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00530

[Bug 1746947] Re: failing autopkgtest due to password issue by nss

  Thread PreviousDate PreviousThread Next 
I was discussing this with Timo and he correctly pointed out that reverting [1] might be enough.
This would allow to get all fixes of 3.35, but at the same time not run into this bug here all over the place.

Building with that for some test runs.

[1]: https://github.com/nss-
dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  New
Status in nss package in Ubuntu:
  Triaged

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case.
  Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb
      create_ipa_nssdb()
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb
      db.create_db(pwdfile)
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db
      self.run_certutil(["-N", "-f", password_filename])
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil
      return ipautil.run(new_args, stdin, **kwargs)
    File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run
      raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.

  
  Note that there is a related freeipa fix in later versions:
     freeipa (4.6.2-4) unstable; urgency=medium                                       
                                                                                      
       * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
  update_ipa_nssdb()'

  That in the "all-proposed" case with the cert8.db file copied over is still failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on.

  Do we have to:
  - rebuild freeipa against newer nss?
  - just mark something as bad test
  - something completely else?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions

References

  Thread PreviousDate PreviousThread Next