Hi Timo,
according to my sniff tests it will fail later on in 4.6.2 as well.
It seems the new nss makes the crypto/passwords no more behave the way as 

Of course the autopkgtest for 4.6.2 won't fail (as there is no old
cert8.db, so the call is skipped), but if there would be one (e.g. on an
upgrade) then it would fail (at least according to my tests in some

So as soon as I bad-test 4.4.4 things will go on as the autopkgtest
won't test the upgrade path. but it will still be "broken under the

I didn't expect a fix in 4.4.x but instead wondered if you might be able
to help to understand why it fails at all. And then depending on that
insight we can work on a fix for either nss or freeipa as needed.

You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.

  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:

Bug description:
  I was failed by autopkgtests of freeipa, but not the old "ip route output 
changed" case.

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib python-ipaserver python-ipatests

  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess 
returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in 
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in 
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in 
      self.run_certutil(["-N", "-f", password_filename])
    File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in 
      return ipautil.run(new_args, stdin, **kwargs)
    File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in 
      raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb 
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The 
security password entered is incorrect.

  Note that there is a related freeipa fix in later versions:
     freeipa (4.6.2-4) unstable; urgency=medium                                 
       * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;

  That in the "all-proposed" case with the cert8.db file copied over is still 
failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from 
Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what 
is going on.

  Do we have to:
  - rebuild freeipa against newer nss?
  - just mark something as bad test
  - something completely else?

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~freeipa
Post to     : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

Reply via email to